ClawHub

M3U8 Downloader

Security checks across malware telemetry and agentic risk

Overview

This downloader mostly does what it says, but its helper script can write or delete paths based on an unchecked output name.

Review before installing. Use only simple output names made of letters, numbers, dashes, or underscores, and avoid slashes, .., or shell metacharacters. The publisher should sanitize output_name, use a mktemp-created work directory, and verify cleanup paths before rm -rf.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to use shell commands (`curl`, `aria2c`, `ffmpeg`, `rm`) but does not declare any corresponding permissions. This creates a transparency and policy-enforcement gap: a caller may invoke the skill without realizing it can perform network access, file writes, and filesystem deletion.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented cleanup step performs recursive deletion of a directory under `/tmp` without any warning, validation, or confirmation. While the specific path is limited, destructive commands in agent skills are risky because variable substitution, path mistakes, or adaptation by the agent can turn routine cleanup into unintended data loss.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
### Step 6: Cleanup

```bash
rm -rf /tmp/video_download
```

## Quick Script Usage
Confidence
88% confidence
Finding
rm -rf /

Tool Parameter Abuse

High
Category
Tool Misuse
Content
### Step 6: Cleanup

```bash
rm -rf /tmp/video_download
```

## Quick Script Usage
Confidence
88% confidence
Finding
rm -rf /tmp/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal