ClawHub

Video Editor Openai

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real NemoVideo cloud video tool, but it needs review because broad prompts and uploaded media may be sent to a third-party API without clear user confirmation.

Review before installing. Use it only if you are comfortable with NemoVideo receiving your prompts, uploaded media, session metadata, and token-backed requests. Avoid confidential personal, business, legal, medical, or unreleased creative material unless you trust that provider’s handling of the data, and ask for confirmation before any upload or remote session setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example trigger phrases are very generic, such as requests to edit footage or export MP4s, which can overlap with ordinary user messages and cause accidental activation of the skill. In this context, accidental activation matters because the skill is designed to immediately connect to an external API and may prompt users to upload media to a third-party service without a strong upfront disclosure.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing logic includes a broad catch-all rule that sends 'Everything else' to the SSE action, meaning many unrelated prompts could be forwarded to the remote backend. This increases the risk of unintended data disclosure because arbitrary user text may be transmitted to a third-party API even when the user did not clearly intend to use this skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description emphasizes convenience but does not clearly warn users that uploaded video files and prompts are sent to a third-party cloud processing API. Because video content often contains sensitive personal, business, or unreleased material, lack of disclosure undermines informed consent and can lead to privacy and data-handling risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal