ClawHub

Facebook Video Downloader

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised Facebook download function, but its privacy notice is misleading because it sends the provided Facebook URL to savefbs.com while claiming no user data is transmitted.

Review before installing. Use this only with public, non-sensitive Facebook links, and assume savefbs.com can see the full URL, including identifiers or tracking parameters. The skill does not show hidden persistence or credential access, but its privacy notice should be corrected before users rely on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The security notice states that no user data is transmitted, but the workflow necessarily sends the user-provided Facebook URL to a third-party service for processing. This is a misleading security/privacy claim that can cause users to share data under false assumptions and reduces informed consent around third-party disclosure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script transmits a user-supplied Facebook URL to savefbs.com, an unrelated third-party service, without any indication in the stated skill behavior that user data will be disclosed externally. Even if the URL is not highly sensitive by itself, it can reveal private or semi-private content references, user interests, or access patterns, creating an avoidable privacy and trust risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description and usage guidance do not clearly warn that Facebook video URLs are transmitted to savefbs.com, a third-party service. In this context, the omission is significant because the entire skill depends on external processing, so users may unknowingly disclose browsing targets or sensitive links to an outside provider.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends the Facebook video URL to a third-party endpoint without an explicit user-facing warning or consent flow. In the context of a downloader skill, users may reasonably expect the tool to act on the provided URL directly, not disclose it to another service, so this creates a meaningful privacy and transparency issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal