ClawHub

YouTube Content Manager

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real YouTube content tool, but its payment handling, embedded service keys, and third-party AI data sharing are not disclosed or scoped clearly enough.

Review carefully before installing. Only use this if you are comfortable with a local Flask app that contacts SkillPay and SiliconFlow, stores your drafts locally, and has unclear billing semantics. The publisher should remove embedded keys, document the exact providers and charges, require user-supplied credentials or scoped configuration, and disable public debug serving.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill documentation declares no permissions while the described behavior clearly depends on external network access for payment and AI generation. This mismatch is dangerous because users and reviewers cannot accurately assess what external communication occurs, and hidden network use can enable unanticipated data transfer or billing-related actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose does not match the reported runtime behavior: the skill allegedly contacts undeclared external AI services, includes hardcoded payment and AI credentials, and appears to trigger payment validation/charging flows more broadly than claimed. This is dangerous because behavior that exceeds the stated scope can conceal unauthorized data exfiltration, unexpected billing, or deceptive functionality that users did not knowingly approve.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hardcoded SkillPay API key is exposed directly in the markdown, which makes the credential immediately recoverable by anyone who can read the file. Exposed payment-service credentials can be abused to create fraudulent charges, impersonate the service, or consume paid resources, creating both financial and trust impacts.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
Claiming that data is locally stored and 'safe and reliable' while simultaneously instructing use of external OpenAI and payment services is misleading about the actual privacy boundary. This can cause users to submit sensitive content under false assumptions, when in reality prompts, metadata, or payment information may leave the local environment.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The billing logic does not match the stated pricing model: per-call charging uses amount 0 while the payment-link flow requests amount 8, despite the description claiming 0.001 USDT per call. This creates deceptive or incorrect billing behavior that can lead to unauthorized charges, user confusion, and loss of trust, especially because payment enforcement happens automatically in a before_request hook.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown discusses payment integration and includes API-key usage without any warning that credentials are sensitive or that using third-party payment/AI services has privacy and security implications. In this case the issue is amplified because a live-looking key is actually present, making accidental leakage and misuse far more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User-supplied content such as niche and topic_title is transmitted to third-party services, and billing-related identifiers are also sent externally, with no evidence of user consent, notice, or data-minimization controls. This is dangerous because sensitive business ideas, unpublished content plans, or user identifiers may be exposed to external processors without transparency.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal