ClawHub

YouTube Model Feeder

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed YouTube video extraction workflow, but it relies on external Docker code and may persist or send video-derived content depending on user choices.

Before installing, inspect the referenced repository and docker-compose file, confirm it is the intended source, and avoid using force install just to bypass a warning. Use local Ollama for sensitive videos; if you choose OpenAI or Anthropic, assume transcripts, OCR text, and summaries may be sent to that provider. Keep track of generated database records, screenshots, ZIPs, and Obsidian notes, and remove exported content or API keys when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly supports OpenAI and Anthropic summarization, but the description does not clearly warn users that extracted transcript, OCR, slide text, and possibly screenshots-derived content may be transmitted to third-party LLM providers when those options are selected. This creates a meaningful privacy and data-handling risk because users may submit videos containing sensitive or proprietary material without understanding that content can leave the local environment.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill promotes Obsidian export and persistent knowledge bundles, but it does not clearly warn that extracted transcripts, screenshots, OCR, and summaries may be stored long-term in the user's vault or exported archives. This can lead to accidental retention of copyrighted, sensitive, or confidential video content beyond the user's original expectations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal