ClawHub

Media Inspector

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it scans local media, optionally transcribes it, and saves local reports, but those reports may contain private file paths and transcript text.

Install ffmpeg and Whisper only from trusted sources, run the skill on narrow folders or specific files, and store generated reports in a private location. Delete or protect reports when analyzing sensitive recordings because they can include file paths, metadata, summaries, excerpts, and full transcript text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The quick-start instructions show analysis and scanning commands that write JSON, CSV, and Markdown reports to disk, but the description does not prominently warn users about this behavior. While not an exploit primitive by itself, the omission can cause accidental persistence of sensitive media metadata or transcripts in local directories, especially when analyzing private audio/video files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically performs speech-to-text transcription, summarization, and excerpt extraction on local media files, then writes the resulting text to JSON, CSV, and Markdown reports, without any explicit consent prompt or warning to the user. In a media-inspection skill, this increases privacy risk because sensitive spoken content from recordings may be exposed, retained on disk, or shared downstream unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script recursively enumerates user-specified directories and writes absolute paths, filenames, sizes, and modification timestamps into JSON, CSV, and Markdown reports. In a local media-inspection skill, this creates a privacy-sensitive inventory of a user's filesystem contents that could be exposed to other users, uploaded, or retained unexpectedly, especially when broad paths are scanned.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal