ClawHub

Youtube To Ebook

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate YouTube-to-ebook/newsletter automation skill, but it uses API keys, third-party services, optional email sending, and optional Mac scheduling that users should configure deliberately.

Install only if you are comfortable with a local automation tool that stores API keys in .env, sends video URLs/transcripts and metadata to external services, can email generated content through Gmail when configured, and can run on a Mac schedule if you enable launchd. Use a virtual environment, keep .env out of version control, prefer dedicated API keys and a Gmail app password, review the recipient and LaunchAgent plist before enabling email or automation, and consider pinning dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (34)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with open(PLIST_FILE, "w") as f:
            f.write(content)

        subprocess.run(["launchctl", "bootout", f"gui/{os.getuid()}", str(PLIST_FILE)],
                      capture_output=True)
        subprocess.run(["launchctl", "bootstrap", f"gui/{os.getuid()}", str(PLIST_FILE)],
                      capture_output=True)
Confidence
94% confidence
Finding
subprocess.run(["launchctl", "bootout", f"gui/{os.getuid()}", str(PLIST_FILE)], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(["launchctl", "bootout", f"gui/{os.getuid()}", str(PLIST_FILE)],
                      capture_output=True)
        subprocess.run(["launchctl", "bootstrap", f"gui/{os.getuid()}", str(PLIST_FILE)],
                      capture_output=True)
        return True
    return False
Confidence
94% confidence
Finding
subprocess.run(["launchctl", "bootstrap", f"gui/{os.getuid()}", str(PLIST_FILE)], capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises significant capabilities including environment access, filesystem reads/writes, network access, and shell execution, but does not declare permissions or boundaries. This reduces transparency and prevents users from making an informed trust decision, especially because the workflow handles API keys, local files, and automation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared description focuses on transforming YouTube videos into ebook articles, but the documented behavior extends to email delivery, scheduled execution, dashboard management, local file modification, archival, and channel polling. This mismatch is security-relevant because users may authorize the skill under a narrower mental model than what it actually does.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The dashboard can generate and send newsletters and orchestrate scheduled execution, which goes beyond the advertised role of transforming YouTube videos into ebook articles. This mismatch increases risk because users may grant trust under a narrower purpose while the skill performs additional actions with external side effects such as inbox delivery and automation.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code edits a user LaunchAgent plist and reloads it through launchctl, creating persistent recurring execution on the host. That is a strong persistence mechanism not justified by the stated ebook-conversion purpose, and in skill ecosystems it materially raises the risk of stealthy or over-privileged behavior.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The dashboard rewrites source files to store channels, which is an implementation shortcut with surprising side effects unrelated to the user-facing purpose. Modifying executable Python files as configuration increases tamper risk and makes the behavior less transparent, especially in an agent skill context where code integrity matters.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The implementation behavior conflicts with the declared skill purpose: instead of only transforming YouTube videos into ebook-style articles, it orchestrates a newsletter/email sending pipeline. This kind of scope mismatch is security-relevant because users or calling systems may grant permissions and trust based on the manifest, while the code performs additional outbound actions that could leak generated content or enable unexpected communications.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module and function documentation repeatedly present the tool as a newsletter generator, which conflicts with the stated ebook-article skill context. Such documentation drift increases the risk of deceptive or misunderstood functionality, especially where downstream automation, reviewers, or users rely on metadata to assess what the skill is allowed to do.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file does substantially more than the stated skill purpose of transforming YouTube content into ebook articles: it emails newsletters and persists archives locally. This expands the data-handling and exfiltration surface beyond user expectations, creating a real security and privacy issue even if the feature was added for convenience rather than abuse.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Loading Gmail credentials gives the skill outbound messaging capability unrelated to simple ebook/transcript generation. Even if credentials are sourced from environment variables, their presence enables unauthorized use of a mailbox and broadens the blast radius if the skill is invoked unexpectedly or modified.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code establishes an outbound SMTP connection and sends generated content to an email recipient, which is a data transmission path outside the stated scope. Because article content may include transcripts or sensitive derived text, this creates an exfiltration channel and a privacy risk, especially when the default recipient is the configured Gmail address.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation phrase "Set up YouTube to ebook for me" is broad and can trigger a multi-step workflow involving credential setup, file creation, configuration changes, and networked services without clear scoping. Broad triggers increase the chance of the agent initiating sensitive actions before the user has explicitly approved each one.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill asks for YouTube and Anthropic API keys and indicates they are stored in a local .env file, but it does not warn users about the risks of plaintext credential storage, file permissions, accidental commits, or local compromise. Missing this warning can lead to credential exposure and unauthorized use of paid APIs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow states that transcripts are transformed using Claude and elsewhere suggests including titles and descriptions in prompt context, but it does not warn that this content is sent to a third-party AI provider. Users may unintentionally transmit copyrighted, sensitive, or private transcript content off-device without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The optional email delivery section instructs users to place Gmail credentials in .env but omits warnings about the sensitivity of mailbox access and the consequences of credential leakage. Exposure of these secrets could allow unauthorized email sending, inbox abuse, or broader account compromise depending on account configuration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The schedule update path changes local system automation by editing a LaunchAgent and reloading launchctl, but the UI provides only minimal scheduling language and no explicit warning about persistence or host-level changes. This is risky because users may not realize they are authorizing a recurring background task on their machine.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Editing channels rewrites another Python file without clearly informing the user that application source code is being modified. This is unsafe from a software integrity perspective because configuration changes should not silently alter executable code.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Saving writing style overwrites part of write_articles.py rather than storing a prompt in data/config, and the UI does not clearly disclose that executable source is being edited. This creates avoidable integrity and maintainability risk, and could break or alter downstream behavior in surprising ways.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill silently archives newsletter HTML, EPUB, and metadata to local disk without user-facing disclosure. This can retain transcripts, titles, channels, and other generated content longer than expected, increasing the risk of unintended disclosure to other local users, backup systems, or later processes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill transmits email over SMTP using configured credentials without any user-facing disclosure or confirmation at send time. In this context, the lack of transparency is dangerous because the skill's advertised purpose is content transformation, not outbound distribution, so users may not realize their generated content is being emailed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends full transcript and video metadata to Anthropic's external API, but there is no user-facing disclosure, consent flow, or data-classification check before transmission. This is risky because transcripts and descriptions may contain personal, confidential, or copyrighted material, and the skill's purpose is explicitly to process third-party content at scale.

Ssd 1

Medium
Confidence
97% confidence
Finding
Untrusted transcript and description text are interpolated directly into the prompt with no delimiting, sanitization, or instruction hierarchy, so adversarial content inside the transcript can act as prompt injection and steer the model away from the intended article-writing task. In this skill, the model output is later treated as the generated article, so injected instructions could cause data exfiltration into output, policy bypass, manipulation of article content, or inclusion of harmful/irrelevant text.

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-api-python-client
python-dotenv
youtube-transcript-api
anthropic
Confidence
97% confidence
Finding
google-api-python-client

Unpinned Dependencies

Low
Category
Supply Chain
Content
google-api-python-client
python-dotenv
youtube-transcript-api
anthropic
markdown
Confidence
98% confidence
Finding
python-dotenv

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal