Twitch Clip

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses configured Twitch credentials to create clips, with the main caution being that short trigger phrases could cause unwanted clips if the agent is listening too broadly.

Install only if you want the agent to create Twitch clips for the configured broadcaster. Use a narrow Twitch token with only clips:edit, keep the token private, and configure the agent so only explicit authorized clip requests trigger the script.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The top-level description says the skill should activate on phrases like 'clip that' or 'clip it,' which are common in casual streaming conversation and can be spoken by someone other than the authorized operator. Because this action performs an external API call and consumes authenticated credentials, overly broad triggers can lead to unintended clip creation and API abuse.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The listed trigger phrases are short, ambiguous, and lack scope constraints, making accidental or malicious prompt-triggering plausible during normal conversation. In a live-stream setting, viewers, guests, or media playback could induce the agent to create clips repeatedly, causing spam and unwanted external actions despite the 30-second cooldown.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal