ClawHub

aaaa

Security checks across malware telemetry and agentic risk

Overview

This skill does local subtitle-to-Markdown work with optional video screenshot generation, and its risks are mainly operational rather than malicious.

Install only if you want local screenshot post-processing. Run it in a dedicated folder containing the intended Markdown and MP4 files, review the included script first, and ensure ffmpeg comes from a trusted source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill requests or implies file read, file write, and shell execution capabilities without declaring them in the manifest, which prevents proper permission review and informed consent. In this context, the hidden shell capability is especially risky because the instructions explicitly invoke a local Python script, enabling unreviewed code execution and filesystem changes beyond simple subtitle conversion.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is limited to converting SRT subtitles into Markdown, but the documented behavior expands to processing Markdown files, locating MP4 videos, generating screenshots, rewriting Markdown, and creating additional assets. This mismatch is dangerous because it obscures materially different actions from users and reviewers, increasing the chance of unexpected file access, media processing, and modification of project contents.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest says the skill converts SRT to Markdown, but the documentation adds a post-processing step that captures screenshots from video by running a local script. That undocumented expansion increases risk because it introduces execution of additional code and access to video/media files that users would not reasonably expect from the stated functionality.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs execution of a local Python script via a subprocess-style command even though that capability is not justified by the stated subtitle-to-Markdown task. Executing local scripts is dangerous because it can run arbitrary code, invoke tools like ffmpeg, alter files, or expose the environment, especially when no validation or approval step is described.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The implementation materially diverges from the declared skill purpose: instead of converting SRT to Markdown, it scans for existing Markdown and optionally processes local MP4 files with ffmpeg. This mismatch is dangerous because users and automated systems may grant the skill trust or permissions based on the manifest, while the code performs different file discovery and media-processing behavior than advertised.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill executes an external binary (ffmpeg) even though that capability is not justified by the stated purpose. Hidden or undeclared execution of external tools expands the attack surface, may process unexpected files, and can surprise operators who believed the skill only transformed subtitle text into Markdown.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The code comments and CLI description suggest SRT/video-to-Markdown conversion, but the implementation actually searches for Markdown files and post-processes them. This inconsistency can mislead users and security reviewers about what data the skill reads and writes, increasing the risk of unintended file processing under false assumptions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions direct the agent to save files and run a Python script automatically, without any user-facing warning, confirmation, or opportunity to review affected paths. This is unsafe because it combines write operations and code execution in a non-consensual workflow, making unintended modification of project files more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal