ClawHub

Video Editing With Obs

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud video-editing skill, but users should know their recordings and editing prompts go to NemoVideo’s external service.

Install only if you are comfortable sending selected OBS recordings, edit instructions, and session metadata to NemoVideo’s cloud API. Avoid uploading private screen recordings unless you intend that processing, and be careful with unrelated conversation while an editing session is active because broad prompts may be forwarded to the backend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The suggested trigger phrases are broad enough that ordinary user language about editing recordings could invoke the skill without a clearly scoped consent boundary. In a skill that automatically connects to a third-party API and may initiate token/session setup before further clarification, overly broad invocation increases the risk of accidental activation and unintended data sharing flows.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The catch-all rule routing 'Everything else' to the SSE action is overly permissive and can cause a wide range of unrelated prompts to be sent to the backend. Because SSE sends free-form user text to an external service, ambiguous routing materially increases the chance of accidental exfiltration of sensitive user content or unintended remote actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes cloud rendering and upload behavior but does not present an explicit user-facing warning that recordings are sent to a third-party cloud service for processing. Since OBS recordings can contain sensitive screen contents, credentials, private messages, or proprietary material, failing to clearly disclose remote upload and processing undermines informed consent and can lead to privacy and confidentiality harm.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal