ClawHub

AOI Demo Clip Maker

Security checks across malware telemetry and agentic risk

Overview

This is a local macOS demo-clip tool whose screen recording and ffmpeg file writes match its stated purpose, but users should watch for accidental sensitive capture or overwrites.

Install only if you intend to grant your terminal Screen Recording permission and have trusted ffmpeg/ffprobe installed. Before recording, close sensitive windows and notifications; before crop/trim, verify input and output paths because existing files can be overwritten.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly guides users to record their screen but does not warn that notifications, credentials, private chats, browser tabs, or other sensitive on-screen content may be captured unintentionally. Because this skill is specifically designed for screen recording on macOS, the omission increases the risk of accidental data exposure when users create and share demo clips.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill records the user's screen and writes the capture to disk, but it does not provide an explicit privacy warning, confirmation step, or visible consent gate before doing so. In a screen-recording utility this behavior is expected, but it is still risky because users may unintentionally capture sensitive information visible on their display.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The crop and trim commands invoke ffmpeg with -y, which overwrites existing output files without prompting the user. This can cause unintended data loss if the user reuses an existing filename or makes a mistake, especially because the command-line interface does not explicitly warn about destructive overwrite behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal