ClawHub

Video Open Ai

Security checks across malware telemetry and agentic risk

Overview

This cloud video-editing skill is mostly purpose-aligned, but it can automatically connect to a third-party API and route broad or ambiguous video requests to that service without clear consent.

Review before installing if you work with private, client, copyrighted, or sensitive videos. Use a dedicated NemoVideo token if possible, assume prompts and uploaded files may be sent to the NemoVideo cloud service, and avoid vague requests unless you intend remote processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example trigger phrase "generate my video clips" is broad enough to match ordinary user conversation about videos, which can cause the skill to activate when the user did not explicitly intend to invoke this remote-processing workflow. In this skill, unintended activation is more concerning because it can initiate automatic setup, token acquisition, and transmission of user prompts or media to a third-party API.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The phrase fragment "trim the footage, add captions, and" is too vague and incomplete to safely scope activation, and overlaps with normal editing requests a user might make in unrelated contexts. Because this skill is configured to route broad edit requests into backend actions, vague triggers increase the chance of accidental invocation and unintended transfer of user content to the external video API.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description markets easy AI video editing but does not clearly warn that uploaded videos and prompts are sent to a remote processing API and handled on cloud infrastructure. This undermines informed consent and can expose sensitive media, metadata, or prompt contents when users believe processing is local or transparent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal