ClawHub

QCut Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is mostly a real QCut media toolkit, but it needs review because it uploads audio to public and third-party services, exposes risky credential guidance, and includes broad persistent self-modification behavior.

Install only if you understand that media and audio may be uploaded to external services, including a public temporary host in the documented workflow. Do not use it with confidential meetings, private voice recordings, unreleased media, or regulated data unless you replace that upload path with approved storage. Store API keys carefully, avoid printing them, and review any proposed updates to CLAUDE.md or skill rule files before allowing persistent changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (41)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a media workflow toolkit, but it also includes PR review processing, which is a materially different capability domain. This mismatch can cause over-broad invocation and unexpected access to code-review or repository workflows when a user intended only media operations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The routing table explicitly maps code-review tasks such as exporting PR comments and fixing review feedback to this skill, despite the manifest framing it as a media/content toolkit. That scope confusion can lead to accidental activation on unrelated developer tasks and unauthorized handling of repository or review data.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs uploading extracted audio to a public third-party file host (uguu.se) as part of the default workflow, which can expose potentially sensitive voice content outside the local environment. In a subtitle-generation context, external hosting is not inherently required, and the file is made available to another service without any privacy, retention, or consent warning, increasing data leakage risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented workflow extracts local audio from a user video and uploads it to a third-party public file host (uguu.se), which is a data exfiltration step not clearly disclosed by the skill description. In a media workflow context, uploaded audio may contain sensitive voices, confidential meetings, or copyrighted material, so sending it off-platform without explicit warning and consent is dangerous.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The workflow calls an external transcription service (Volcengine) that is not reflected in the high-level skill description, so users may believe processing is local when it is not. Hidden third-party processing expands the trust boundary and can expose media-derived data, transcripts, and hotword dictionaries to external providers.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill directs users to upload extracted speech audio to a public file host as part of a normal editing workflow, which exposes potentially sensitive voice content to the internet beyond what is necessary for transcription. For talking-head videos, the audio may contain personal, corporate, or unreleased material, and the documentation does not justify why a public host is required or warn about the exposure.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This section operationalizes the public upload by instructing use of uguu.se and then passing the resulting public URL into the transcription flow. That creates unnecessary third-party disclosure and broadens access to user audio, increasing the chance of data leakage, unauthorized access, or persistence outside the user's control.

Vague Triggers

High
Confidence
95% confidence
Finding
The top-level description is extremely broad, including phrases like 'any media workflow' and 'content pipeline task,' which increases the chance that the agent selects this skill for loosely related requests. In a skill with shell, network, editor-control, and AI-generation pathways, overbroad auto-selection materially raises the risk of unintended actions or inappropriate tool access.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing table contains generic triggers like 'organize,' 'clean up files,' and other broad phrases that overlap with normal conversation and non-media tasks. Because this skill can chain into shell and external-processing sub-skills, ambiguous triggers make accidental invocation and misuse more likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples encourage users to submit local video files for AI analysis and to use remote media URLs, but they do not warn that media content, file-derived data, prompts, and metadata may be transmitted to external model providers or services. In a media-processing skill, this is especially relevant because users may analyze sensitive unpublished footage, personal media, or proprietary content without realizing the privacy and compliance implications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly instructs users to send prompts and generation payloads to third-party FAL endpoints, but it does not include any privacy or data-handling warning. In a media workflow skill, prompts, images, and other creative assets may contain proprietary or personal data, so omission of a disclosure can lead to unintended external transmission of sensitive content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples encourage saving transcripts, word-level timestamps, speaker IDs, and analysis metadata to disk without warning that these artifacts can contain sensitive personal or confidential information. Transcription outputs often capture conversations, identities, and behavioral metadata, so writing them to predictable files can create privacy and data retention risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The HTTP video-analysis examples show how to submit local file paths, media IDs, and timeline elements for analysis but omit any notice that the underlying content may be sent to external AI providers depending on configuration and model choice. In a media workflow skill, users may reasonably assume analysis is purely local because the endpoint is localhost, which increases the risk of unintentionally transmitting sensitive video or derived content off-device.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list is excessively broad and includes generic terms like AI video generation, short dramas, ads, and video prompts, which can cause the skill to activate outside clear Seedance-specific intent. Over-broad routing can misdirect users into a constrained workflow, increasing the chance of inappropriate instructions, unexpected tool behavior, or accidental handling of unrelated requests.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The skill enforces Chinese-only prompt output regardless of user preference, which creates a hard policy constraint that can override user intent and downstream system expectations. While not a classic code-execution issue, this can cause unsafe or incorrect task handling in multilingual contexts, especially if other components assume prompts remain in the user's language or require explicit consent before language transformation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill declares broad trigger phrases like "update rules," "record feedback," and "improve skill" without strong scoping or confirmation requirements. This can cause unintended activation during ordinary conversation and, because the skill performs updates to persistent files, accidental invocation could lead to unauthorized or unsafe changes to agent behavior.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The examples and flow use vague phrases such as "Record the issue we just had" and "Remember this lesson," then instruct the agent to infer context automatically rather than request precise input. In a self-modifying skill, that ambiguity is risky because the agent may misattribute context and write incorrect, attacker-influenced, or overbroad rules into persistent memory or methodology files.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions rely on broad conversational cues like user corrections or statements such as "remember this," which are common in normal interaction and not sufficient authorization for persistent modification. In this skill's context, underspecified triggers are more dangerous because they gate self-evolution behavior that can alter future agent decisions and accumulate prompt-injected guidance over time.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The declared trigger terms are broad, natural-language phrases such as '更新规则' and '记录反馈' that can appear in ordinary conversation, making accidental invocation plausible. Because this skill performs persistent self-modification behavior, unintended activation could cause the agent to alter documentation or rule files based on incidental dialogue rather than a deliberate maintenance request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation conditions include vague cues like user correction, '记住这个', or '以后注意', which are common conversational patterns and do not reliably indicate consent to modify persistent state. In a self-evolving skill, ambiguous activation is especially risky because ordinary feedback can be converted into lasting rule changes without clear authorization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly states that the agent will automatically read full target files and integrate updates into persistent files like CLAUDE.md or tips documents, but it does not require a warning, preview, or approval before modifying user or project data. This creates a direct integrity risk: the agent may rewrite important documentation or behavioral rules based on mistaken context interpretation, prompt injection, or accidental activation.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very generic phrases like "install," "setup," and "initialize," which can match ordinary user requests and cause the skill to activate unexpectedly. In a skill that performs environment changes and credential setup, over-broad activation increases the chance of unintended execution paths, unnecessary package installation guidance, or prompting users to handle secrets when they did not explicitly request this skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to append an API key into `.claude/skills/.env` and later display matching contents with `cat ... | grep VOLCENGINE`, but it does not warn about secret exposure, file permissions, shell history, or accidental commit risk. This creates a realistic path for credential leakage through terminal output, logs, screenshots, shared sessions, or source control, especially because the workflow explicitly verifies the secret by printing it.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill declares very broad trigger phrases such as '安装、环境准备、初始化', which can match many ordinary user requests and cause this skill to activate in contexts the user did not specifically intend. In a skill that includes shell commands and credential setup steps, overbroad activation increases the chance of unsolicited system changes or premature secret-handling guidance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell the user to append an API key directly into `.claude/skills/.env` and later display matching environment entries with `cat ... | grep`, but provide no warning about secret exposure, file permissions, source control leakage, or safer secret-management options. This can lead to accidental credential disclosure through terminal history, screenshots, shared repositories, or inappropriate file access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal