ClawHub

Video Summarizer(视频摘录+Notion存档)

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its video-summary purpose, but it can automatically send generated summaries to Notion whenever Notion credentials are present, even without the documented push option.

Review before installing. Use dedicated low-privilege LLM, OSS, Groq, Notion, and Bilibili credentials; avoid confidential videos; remove Notion credentials unless you want automatic archiving; and consider patching the workflow so Notion upload only runs when --push is explicitly supplied.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Tainted flow: 'share_url' from requests.get (line 106, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
raise ValueError("未找到有效的分享链接")

        share_url = urls[0]
        share_response = requests.get(share_url, headers=HEADERS)
        video_id = share_response.url.split("?")[0].strip("/").split("/")[-1]
        share_url = f'https://www.iesdouyin.com/share/video/{video_id}'
Confidence
93% confidence
Finding
share_response = requests.get(share_url, headers=HEADERS)

Tainted flow: 'video_info' from os.getenv (line 436, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
if show_progress:
            print(f"正在下载视频:{video_info['title']}")

        response = requests.get(video_info['url'], headers=HEADERS, stream=True)
        response.raise_for_status()

        # 获取文件大小
Confidence
85% confidence
Finding
response = requests.get(video_info['url'], headers=HEADERS, stream=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and requires powerful capabilities including environment-variable access, file read/write, shell execution, and network access, but does not declare explicit permissions. This creates a transparency and governance gap: users and platforms cannot accurately assess the privilege level before installation, increasing the risk of over-privileged execution and accidental exposure of secrets such as API keys and cookies.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This script performs an interactive Bilibili login and persists account cookies to disk, creating reusable authentication material. For a video summarization skill, acquiring and storing full session cookies is broader than minimally necessary and increases the risk of account takeover if the file is exposed, reused by other components, or mishandled.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script pushes content to Notion whenever credentials are present, regardless of whether the user explicitly supplied --push. That expands the skill's authority from local summarization to external data exfiltration, and could leak transcripts, screenshots, metadata, or private video-derived content to a third-party service without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script inspects and modifies $HOME/.openclaw/.env permissions even though its core task is video summarization. Touching unrelated credential storage is overbroad privilege use and can interfere with user-managed secrets or unexpectedly alter files outside the declared output scope.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises one-click Notion publishing but does not clearly warn that generated summaries and possibly associated metadata will be transmitted to a third-party SaaS. This creates a privacy and data-governance risk because users may process sensitive video content under the assumption that output remains local unless they infer otherwise from the Notion API configuration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup requires Alibaba OSS credentials and the skill description says screenshots are automatically uploaded, but the README does not prominently warn that screenshots and related assets are sent to external cloud storage. Screenshots can contain sensitive information from videos, so undisclosed cloud upload behavior can lead to unintended exposure or compliance violations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends full subtitle transcript text plus video metadata to an external LLM service via `client.analyze_simple(...)` without any consent flow, disclosure, minimization, or policy gate in this file. Because subtitles may contain personal, confidential, or copyrighted material and the service endpoint is configurable through environment variables, this creates a real data-exfiltration/privacy risk rather than a purely cosmetic UX issue.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script writes live authentication cookies to a plaintext output file without warning the user that these credentials can be reused to access their Bilibili account. If the file is stored in an insecure location, committed to a repository, or read by other local users/processes, it can enable account takeover or session hijacking.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uploads local audio content to Groq when GROQ_API_KEY is configured, but it does not provide an explicit user-facing consent prompt or strong warning at the point of transfer. In a skill that processes potentially sensitive recordings, silent third-party transmission increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The thumbnail upload path fetches an arbitrary external URL from metadata and then uploads the response to OSS, effectively turning the script into a network-fetch primitive. If an attacker can influence metadata, this can be abused for SSRF-like access to internal services, unexpected outbound requests, or storing untrusted content in the user's bucket without clear consent.

Ssd 1

Medium
Confidence
93% confidence
Finding
Untrusted subtitle text is interpolated directly into the LLM prompt, so a crafted transcript can include prompt-injection content such as instructions to ignore the template, emit malformed JSON, leak hidden instructions, or manipulate downstream Markdown content. In this skill, that can degrade output integrity and potentially produce unsafe or misleading rendered summaries because model output is trusted and fed into later processing.

Ssd 1

Medium
Confidence
84% confidence
Finding
Loading the prompt template from external `prompt.json` moves security-sensitive model behavior out of reviewed code and allows prompt tampering to silently change what data is sent or how the model behaves. If that file is modified by a package update, compromised dependency, or local attacker, the skill can be redirected to exfiltrate data, weaken guardrails, or produce attacker-controlled output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal