ClawHub

Dataify Youtube Video Post

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for submitting YouTube video collection jobs to Dataify using a user-provided or locally saved API token.

Before installing, understand that using this skill can submit paid or account-linked Dataify scraping jobs and will send your Dataify API TOKEN to Dataify. Keep DATAIFY_API_TOKEN scoped to Dataify, review the chosen collection mode and post counts before running, and avoid storing the token persistently on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to read a locally saved API token from the environment and submit authenticated network requests, yet no permissions are declared to signal that env and network access are required. This creates a transparency and consent gap: an agent may access secrets and exfiltrate them to an external service without an explicit permission boundary, increasing the risk of unintended credential use or data transfer.

Vague Triggers

Medium
Confidence
92% confidence
Finding
This skill enables implicit invocation and pairs it with a very broad default prompt covering many common phrasings for YouTube scraping and collection tasks. That increases the chance the agent will auto-trigger the skill unexpectedly, causing unintended third-party requests, data collection actions, or workflow execution without sufficiently explicit user confirmation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal