ClawHub

YouTube SERP Scout for agents. Search top-ranking videos, channels, and trends for content research and competitor tracking

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward YouTube search helper that sends user-directed queries to AIsa using an API key.

Install only if you trust the publisher and AIsa. Use a dedicated, revocable AISA_API_KEY, monitor usage or credits, and avoid sending secrets, personal data, or confidential business research terms in search queries because they are transmitted to api.aisa.one.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares required binaries and an API key in metadata and provides examples that perform outbound network requests, but there is no explicit permission declaration or user-facing notice about those capabilities. In agent environments, this can undermine least-privilege expectations and cause users to authorize or invoke a skill without realizing it can read environment secrets and transmit data externally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs the agent to send user-supplied search queries to a third-party service authenticated with an API key, but it does not warn that prompts, topics, and possibly sensitive research terms will leave the local environment. This is risky because users may enter confidential business intelligence, customer data, or internal investigation terms assuming the skill operates locally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal