ClawHub

Nm Scry Vhs Recording

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only helper for making VHS terminal recordings, with ordinary cautions around running tape commands and optional public publishing.

Install only if you intend to create VHS terminal recordings. Inspect tape files before running them, including Hide/Show blocks and Source includes, use test or sanitized data, confirm the Output path, and avoid --publish unless the resulting recording is safe to share publicly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The guide explicitly documents `vhs tape-file.tape --publish`, which sends generated recordings to a public remote service. That exceeds the narrowly stated skill purpose of generating local terminal-recording GIFs and creates a real data disclosure risk if users record sensitive terminal content and follow the example without realizing it is public.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Documenting public publication capability without tying it to the declared skill scope broadens the operational behavior users may adopt. In a recording tool, terminal sessions can easily include secrets, internal hostnames, or proprietary commands, so normalizing a public upload path increases the chance of unintended disclosure.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad, everyday terms like "terminal," "gif," "demo," and "tutorial," which can cause the skill to activate in contexts unrelated to VHS tape generation. This increases the chance of unintended invocation, which may lead an agent to run validation or shell commands in situations where the user did not specifically request this skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example shows a public publishing command but does not warn users that the destination is public or that terminal recordings may expose sensitive information. Because this is instructional content, omission of a disclosure warning makes accidental unsafe use more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly teaches use of `Hide`/`Show` to conceal terminal actions, including an example of running "secret setup commands". In a recording/demo skill, this creates a real transparency and trust risk because viewers can be misled about what was executed, and hidden commands could perform unsafe setup, modify state, or exfiltrate data without being visible in the resulting artifact.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal