ClawHub

Tubeify

Security checks across malware telemetry and agentic risk

Overview

Tubeify is an instruction-only skill for using a paid external video-editing API, with expected privacy and payment considerations but no hidden code or automatic execution.

Install/use only if you trust Tubeify with the video URL, wallet address, transaction hash, and session cookie created by the examples. Do not submit private or non-public videos unless you accept third-party processing, and never provide wallet private keys or seed phrases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send a wallet address, payment transaction hash, and video URL to a third-party service but does not clearly warn that these data leave the local agent environment and are transmitted to Tubeify. This creates a meaningful privacy and trust risk because users may disclose sensitive creator content or payment metadata without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
### Authenticate

```bash
curl -c session.txt -X POST https://tubeify.xyz/index.php \
  -d "wallet=<YOUR_WALLET_ADDRESS>"
```
Confidence
92% confidence
Finding
curl -c session.txt -X POST https://tubeify.xyz/index.php \ -d "wallet=<YOUR_WALLET_ADDRESS>" ``` ### Submit Video for Processing ```bash curl -b session.txt -X POST https://tubeify.xyz/process.ph

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Authenticate
curl -c session.txt -X POST https://tubeify.xyz/index.php \
  -d "wallet=0xYOUR_WALLET"

# 2. Submit video (include your 2 USDC tx hash)
Confidence
91% confidence
Finding
curl -c session.txt -X POST https://tubeify.xyz/index.php \ -d "wallet=0xYOUR_WALLET" # 2. Submit video (include your 2 USDC tx hash) curl -b session.txt -X POST https://tubeify.xyz/process.php \

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal