ClawHub

Youtube To Skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says at a high level, but it can upload video-derived content to MiniMax and publish generated skills to GitHub without strong review or consent gates.

Review before installing. Use only with public, non-confidential videos; provide a fine-grained GitHub token limited to the intended repository; inspect the generated SKILL.md and git diff before any push; and avoid letting the runtime install dependencies automatically unless your environment allows that risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands for git clone/cp/commit/push but declares no corresponding permissions or capability boundaries. Hidden code execution capability increases risk because users and policy layers cannot accurately assess that the skill will modify local files and perform repository operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill's description understates several sensitive behaviors: it sends video-derived content to external MiniMax services, uses credentials, and pushes generated content to a hard-coded GitHub repository. This mismatch undermines informed consent and can cause unreviewed data exfiltration or publication of generated content to an unexpected destination.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script installs yt-dlp at runtime with pip when it is missing, which expands the skill's behavior from media processing into package installation and arbitrary third-party code retrieval. In an agent context, this is risky because it performs network-based dependency installation without pinning, verification, or user approval, increasing supply-chain and environment-tampering risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger condition is broad enough to activate on many ordinary messages containing a video link, which can cause unexpected processing and outbound actions. In this skill, broad triggering is more dangerous because activation can lead to external API submission and GitHub publication without a narrowly scoped user intent check.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill does not clearly warn that it will automatically push generated content to GitHub, and the implementation targets a specific repository. Automatic publication is a sensitive side effect that can leak proprietary, copyrighted, or inaccurate content and create unintended commits under the user's credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks for sensitive credentials and transmits URLs, subtitles, audio, and summaries to external services, but does not provide adequate user-facing warnings about data handling. This creates privacy and security risk, especially if videos or transcriptions contain confidential or regulated information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script silently installs and then immediately executes external tooling without any confirmation or warning. Because the tool is fetched dynamically from an external package source and then run against attacker-controlled URLs, this creates avoidable exposure to supply-chain compromise and unreviewed code execution in the agent environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends the full contents of the local summary file to a third-party LLM service over the network without any notice, consent gate, redaction, or policy check. If the summary contains sensitive data extracted from videos or prior processing steps, this creates an unintended data exfiltration path and privacy/compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends a user-supplied video URL to a third-party API along with an authorization bearer token, but provides only a generic status message and no explicit notice or consent boundary around data disclosure. In this skill's context, URLs may encode private or unlisted content identifiers, so transmitting them off-platform can create privacy and policy risks even if this is the intended implementation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script reads a GitHub token from the environment and interpolates it directly into the clone URL. This can expose the credential through process listings, shell tracing, logs, error output, or accidental reuse of the authenticated URL by Git, creating a real credential-handling weakness even if the token is not explicitly printed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends the full subtitle text or audio-derived transcript to MiniMax over the network, but there is no built-in consent prompt, warning, redaction step, or privacy notice. Because video subtitles and audio can contain personal, confidential, or copyrighted information, this creates a real data-exposure risk in a skill that processes arbitrary user-supplied videos.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "Extracting Skill from summary..."

RESPONSE=$(curl -s -X POST "https://api.minimax.chat/v1/chat/completions" \
  -H "Authorization: Bearer $MINIMAX_API_KEY" \
  -H "Content-Type: application/json" \
  -d "$(jq -n \
Confidence
95% confidence
Finding
curl -s -X POST "https://api.minimax.chat/v1/chat/completions" \ -H "Authorization: Bearer $MINIMAX_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo "Extracting Skill from summary..."

RESPONSE=$(curl -s -X POST "https://api.minimax.chat/v1/chat/completions" \
  -H "Authorization: Bearer $MINIMAX_API_KEY" \
  -H "Content-Type: application/json" \
  -d "$(jq -n \
Confidence
95% confidence
Finding
https://api.minimax.chat/

External Transmission

Medium
Category
Data Exfiltration
Content
echo "Extracting subtitle from: $VIDEO_URL"

RESPONSE=$(curl -s -X POST "https://api.minimax.chat/v1/video/subtitle" \
  -H "Authorization: Bearer $MINIMAX_API_KEY" \
  -H "Content-Type: application/json" \
  -d "$(jq -n --arg url "$VIDEO_URL" '{"video_url": $url, "format": "srt"}')")
Confidence
90% confidence
Finding
curl -s -X POST "https://api.minimax.chat/v1/video/subtitle" \ -H "Authorization: Bearer $MINIMAX_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo "Extracting subtitle from: $VIDEO_URL"

RESPONSE=$(curl -s -X POST "https://api.minimax.chat/v1/video/subtitle" \
  -H "Authorization: Bearer $MINIMAX_API_KEY" \
  -H "Content-Type: application/json" \
  -d "$(jq -n --arg url "$VIDEO_URL" '{"video_url": $url, "format": "srt"}')")
Confidence
90% confidence
Finding
https://api.minimax.chat/

External Transmission

Medium
Category
Data Exfiltration
Content
CONTENT=$(cat "$INPUT_FILE")
  
  # 调用 MiniMax LLM 生成摘要和文字稿
  RESPONSE=$(curl -s -X POST "https://api.minimax.chat/v1/chat/completions" \
    -H "Authorization: Bearer $MINIMAX_API_KEY" \
    -H "Content-Type: application/json" \
    -d "$(jq -n \
Confidence
91% confidence
Finding
curl -s -X POST "https://api.minimax.chat/v1/chat/completions" \ -H "Authorization: Bearer $MINIMAX_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo "$TEXT" > "$TRANSCRIPT_FILE"
    
    # 总结
    SUMMARY_RESP=$(curl -s -X POST "https://api.minimax.chat/v1/chat/completions" \
      -H "Authorization: Bearer $MINIMAX_API_KEY" \
      -H "Content-Type: application/json" \
      -d "$(jq -n \
Confidence
91% confidence
Finding
curl -s -X POST "https://api.minimax.chat/v1/chat/completions" \ -H "Authorization: Bearer $MINIMAX_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
CONTENT=$(cat "$INPUT_FILE")
  
  # 调用 MiniMax LLM 生成摘要和文字稿
  RESPONSE=$(curl -s -X POST "https://api.minimax.chat/v1/chat/completions" \
    -H "Authorization: Bearer $MINIMAX_API_KEY" \
    -H "Content-Type: application/json" \
    -d "$(jq -n \
Confidence
91% confidence
Finding
https://api.minimax.chat/

External Transmission

Medium
Category
Data Exfiltration
Content
if [ "$EXT" = "mp3" ] || [ "$EXT" = "wav" ] || [ "$EXT" = "m4a" ] || [ "$EXT" = "aac" ]; then
    # 使用 MiniMax 语音识别 API
    RESPONSE=$(curl -s -X POST "https://api.minimax.chat/v1/audio/transcriptions" \
      -H "Authorization: Bearer $MINIMAX_API_KEY" \
      -F "file=@$INPUT_FILE" \
      -F "language=zh,en" \
Confidence
97% confidence
Finding
https://api.minimax.chat/

External Transmission

Medium
Category
Data Exfiltration
Content
echo "$TEXT" > "$TRANSCRIPT_FILE"
    
    # 总结
    SUMMARY_RESP=$(curl -s -X POST "https://api.minimax.chat/v1/chat/completions" \
      -H "Authorization: Bearer $MINIMAX_API_KEY" \
      -H "Content-Type: application/json" \
      -d "$(jq -n \
Confidence
91% confidence
Finding
https://api.minimax.chat/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal