ClawHub

Video Editing With Descript

Security checks across malware telemetry and agentic risk

Overview

This video-editing skill does what it describes at a high level, but it may mislead users into sending private videos to NemoVideo while appearing branded as Descript.

Install only if you are comfortable sending videos, audio, captions, edit instructions, and session metadata to NemoVideo's cloud service. Avoid confidential interviews, client footage, unreleased business media, or regulated content unless you have verified the provider's privacy, retention, and deletion practices; treat NEMO_TOKEN as a credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing table sends 'Everything else' to the SSE action, which effectively makes this skill a catch-all for many unrelated prompts. That can cause accidental invocation, unintended transmission of user prompts or files to the third-party backend, and confusion about which skill is handling sensitive requests. In a skill that uploads media and forwards free-form instructions to a cloud service, broad routing increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send raw video footage to a cloud backend and auto-establishes a session/token flow, but it does not clearly warn that potentially sensitive video, audio, captions, and instructions will be transmitted to an external service. Users may upload interviews or other personal/confidential recordings without informed consent about third-party processing, retention, or privacy implications. Because the content may contain faces, voices, and private conversations, this omission materially increases privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal