ClawHub

Meta Video Ad Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: analyzes user-provided video or image ads with local media tools and Google AI services, with some privacy and deployment cautions.

Install in an isolated environment, use a dedicated least-privilege Google service account, and analyze only media you are allowed to send to Google cloud services. In shared deployments, keep generated thumbnails out of public access or add authenticated serving and unique filenames.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
audio_path = temp_f.name

            try:
                subprocess.run([
                    'ffmpeg', '-i', video_path, '-vn', '-f', 'wav',
                    '-acodec', 'pcm_s16le', '-ar', '16000', '-ac', '1',
                    '-y', audio_path
Confidence
85% confidence
Finding
subprocess.run([ 'ffmpeg', '-i', video_path, '-vn', '-f', 'wav', '-acodec', 'pcm_s16le', '-ar', '16000', '-ac', '1', '-y', a

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes capabilities that require environment access, local file reads, and shell-adjacent tooling such as ffmpeg, but it does not declare permissions accordingly. This creates a transparency and policy-enforcement gap: an agent or user may invoke a skill with broader access than expected, increasing the risk of unintended file exposure or command execution through supporting scripts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends video frames, images, and audio-derived content to external Google AI services for scene analysis and transcription, but the description does not warn users that potentially sensitive media leaves the local environment. This can lead to privacy, confidentiality, and compliance issues if users analyze ads or videos containing personal data, unreleased creative, or regulated content without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends extracted frames, full images, and potentially full video/audio content to external AI and speech services without any explicit consent gate, policy check, or user-visible disclosure in the operational code path. In a media-analysis context, those inputs may contain sensitive, copyrighted, regulated, or internal material, so silent third-party transmission creates a real data-exposure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal