ClawHub

Mov To Mp4 Converter

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real cloud media conversion skill, but it does more than simple MOV-to-MP4 conversion and sends user media to a third-party backend.

Review before installing, especially for private, client, regulated, or copyrighted videos. This skill may upload files or URLs to mega-api-prod.nemovideo.ai, create anonymous backend tokens, maintain remote sessions, and perform broader media editing or generation operations than the name implies. Prefer a local converter such as ffmpeg for sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is presented as a narrow MOV-to-MP4 converter, but the body describes a broad remote media editing/generation workflow with SSE commands, session state inspection, and generic export operations. This scope mismatch is dangerous because users and hosting platforms may grant trust, data access, and network privileges based on the simpler claimed purpose while the skill actually enables much broader remote processing behavior.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
A skill branded as MOV-to-MP4 conversion advertises support for many unrelated media formats and outputs, which materially expands its operational scope beyond user expectations. This increases the chance of misuse, policy bypass, and accidental handling of data types the user did not intend to send to a third-party backend.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
For a simple local-seeming format conversion tool, requiring a cloud token, anonymous authentication, and persistent remote session creation is more privilege and infrastructure than users would reasonably expect. This creates unnecessary exposure of user media and metadata to a remote service and increases the attack surface through credential handling and session management.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Allowing URL-based media ingestion is not necessary for converting a user-provided MOV file and broadens the skill into arbitrary remote fetch behavior. That can be abused to pull unexpected content into the backend, create privacy issues, or facilitate server-side request abuse depending on how the backend resolves and fetches URLs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs uploading media to a remote cloud backend and managing remote sessions, but it does not prominently warn users that their files and processing data leave the local environment. For media files, this can expose sensitive personal, corporate, or copyrighted content without meaningful informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal