ClawHub

SRT to Video

Security checks across malware telemetry and agentic risk

Overview

This skill appears to generate a local Remotion subtitle-video project and does not show hidden data access, credential use, or exfiltration behavior.

Before installing or running it, review the generated project files and run npm install/render commands in a normal project or sandbox environment. Expect npm network access, and note that the provided templates may need additional Remotion entry/composition files before the project runs as described.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill instructions and examples are entirely in Chinese, and the generated subtitle styling rules are framed around Chinese character counts (for example, font sizing by 字). There is no natural-language indication that users may choose another language or that the skill is intentionally restricted to a Chinese-only regional/compliance use case.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@remotion/cli": "4.0.242",
    "@remotion/google-fonts": "4.0.242",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
    "remotion": "4.0.242"
  },
Confidence
40% confidence
Finding
"react": "^18.3.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@remotion/cli": "4.0.242",
    "@remotion/google-fonts": "4.0.242",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
    "remotion": "4.0.242"
  },
  "devDependencies": {
Confidence
40% confidence
Finding
"react-dom": "^18.3.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"remotion": "4.0.242"
  },
  "devDependencies": {
    "@types/react": "^18.3.11",
    "typescript": "^5.6.3"
  }
}
Confidence
40% confidence
Finding
"@types/react": "^18.3.11"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "devDependencies": {
    "@types/react": "^18.3.11",
    "typescript": "^5.6.3"
  }
}
Confidence
40% confidence
Finding
"typescript": "^5.6.3"

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal