ClawHub

Dataify Youtube Audio By Url

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for Dataify YouTube audio task creation, but its broad auto-invocation scope could cause unintended third-party task submission or token-related handling.

Review before installing. Use it only if you are comfortable with a Dataify integration that may submit YouTube audio collection tasks to a third-party service, and prefer explicit invocation or confirmation before any task is created or token-related troubleshooting is performed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description contains very broad trigger phrases such as generic scraping/collection wording and troubleshooting/token-handling requests, which can cause the skill to activate for ordinary user intents beyond narrowly scoped YouTube-audio task creation. Over-broad activation increases the chance of unintended external calls, token handling, or data submission when the user did not specifically request this skill.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill enables allow_implicit_invocation without any constraints in the YAML itself, so the agent may auto-select this skill based on broad semantic matching rather than an explicit user request. In this context, the skill triggers external task submission to a third-party service, which increases the risk of unintended data processing, accidental job creation, or abuse through prompt manipulation and ambiguous user phrasing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal