ClawHub

Video Trimmer Online Free

Security checks across malware telemetry and agentic risk

Overview

This is a cloud video-editing skill, but it asks for broad backend access and media handling with weak user-facing consent and a wider scope than simple trimming.

Install only if you are comfortable sending selected videos, edit instructions, and related metadata to NemoVideo’s cloud service. Use a dedicated token if possible, avoid sensitive recordings unless you understand the provider’s retention and privacy practices, and expect the skill to do broader cloud video-editing work beyond simple trimming.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a simple video trimmer, but the documented behavior clearly enables broader media editing, generation, and timeline manipulation workflows. This scope mismatch can mislead users and reviewers about what the skill actually does, reducing informed consent and increasing the chance that users send content or requests they would not have authorized under a narrowly described trimming tool.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The declared supported formats include many media types beyond the stated MP4/MOV/AVI/WebM trimming use case, including images and audio formats. This broadens the operational scope in a way that is not transparently communicated in the manifest, which can conceal materially different handling of user data and expand the attack surface of the skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill requests access to an environment token and a local config path even though the advertised function is simple cloud video trimming. Access to local configuration directories and reusable bearer tokens can expose sensitive credentials or user-specific metadata beyond what is needed for a minimally scoped trimming workflow.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The skill instructs the agent to auto-detect the platform from the install path and send it as an attribution header. While not severe by itself, this is unnecessary environment fingerprinting for a basic trimming workflow and can leak host/context information to the remote service without meaningful user benefit.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The opening invocation guidance is broad enough that ordinary conversation about videos could activate the skill unintentionally. Over-broad triggering is dangerous because it can cause backend connection setup and possible data transfer without a clearly bounded user intent to invoke this specific cloud service.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Example trigger phrases such as 'trim my video clips' or 'export 1080p MP4' are generic and overlap with normal assistant requests. This increases the risk of accidental activation and unintended submission of user content to the remote API under the guise of a specialized skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that user videos are uploaded to a cloud rendering pipeline, but it does not require an explicit warning or consent step at the point of transfer. Because videos often contain sensitive personal, biometric, or proprietary content, undisclosed cloud upload materially increases privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal