ClawHub

GifHorse

Security checks across malware telemetry and agentic risk

Overview

GifHorse is a coherent GIF-making skill, but users should notice that it installs an external CLI, indexes local video dialogue, downloads subtitles by default, and can optionally send GIFs through iMessage.

Install only if you trust the external GifHorse GitHub repository and are comfortable with it processing the video folders you choose. Use --use-subtitles or --use-whisper if you do not want default online subtitle lookup, keep the transcription database in a location you control, and confirm the recipient before using --send or --send-to.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that transcription 'downloads subtitles automatically' but does not warn users that this causes outbound network access and may disclose media titles or metadata to third-party subtitle providers. In a local-media workflow, users may reasonably expect processing to remain local, so the omission creates a meaningful privacy and transparency risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents `--send` and `--send-to` for iMessage transmission without a prominent warning that generated GIFs are sent to external recipients and may disclose video content, subtitles, or sensitive phone numbers. Users invoking a media-creation tool may not anticipate a transmission side effect from creation commands, making accidental disclosure more likely.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal