ClawHub

Video Transcript Workflow

Security checks across malware telemetry and agentic risk

Overview

This is a coherent transcription and draft-generation skill, with privacy cautions around automatic web lookups and saved preferences.

Install only if you are comfortable with local transcription scripts creating transcript and Markdown files. For confidential, regulated, or unreleased recordings, tell the agent to skip web enrichment and avoid saving preferences to MEMORY.md. Review generated drafts for accuracy, privacy, copyright, and platform compliance before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs storing user preferences in MEMORY.md for future reuse, creating persistent profile data beyond the immediate transcription task. This increases privacy risk, retention scope, and possible cross-session leakage of sensitive preferences or prior context without clear consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill automatically performs web research during transcript enhancement without making that expansion of data handling central in the manifest. Transcript content may contain sensitive business, personal, or copyrighted material, and sending excerpts or derived queries to external services can expose user data beyond the original transcription purpose.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly states that the skill will perform automatic online searches to supplement terminology and background knowledge, but it does not warn users that transcript-derived content or metadata may be sent to external services. In a transcription workflow, source material often contains sensitive business, personal, or unpublished information, so silent network transmission creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises '3分钟无响应自动继续' and the workflow diagram repeats that processing will auto-continue after a timeout, which weakens meaningful user consent. For media transcription and downstream publishing, automatic continuation can trigger processing, editing, or external dissemination of sensitive content even when the user has not affirmatively approved the inferred settings.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill performs automatic web-based knowledge enrichment yet does not clearly warn users that transcript excerpts, concepts, or derived content may be transmitted to external services. This undermines informed consent and can leak sensitive media content or confidential terminology during enrichment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill says user preferences and history are recorded in MEMORY.md for future runs, but it does not provide a clear upfront privacy warning or consent workflow. Silent persistence of behavioral/profile data can violate user expectations and increase exposure if the memory file is later accessed by other skills or users.

Ssd 3

Medium
Confidence
96% confidence
Finding
Persistent recording of user preferences into MEMORY.md creates a durable natural-language memory store that may accumulate sensitive personal, professional, or behavioral information over time. Such files are often easy to overlook, broadly readable by other workflows, and prone to unintended reuse or disclosure.

Ssd 3

Medium
Confidence
97% confidence
Finding
The explicit instruction to write user preferences to MEMORY.md for future automatic application normalizes long-term retention of user profile data without clear boundaries. Because this is framed as an automatic behavior, it raises the risk of silent collection, cross-task inference, and privacy leakage beyond the user’s immediate request.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal