ClawHub

Apify YouTube Email Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Apify-based YouTube contact-scraping skill, with privacy and third-party data-handling considerations but no hidden or destructive behavior in the artifact.

Install only if you are comfortable using a third-party Apify actor with your Apify token to collect public YouTube contact data. Keep searches narrow, protect and rotate the token if exposed, review Apify dataset retention, and use any collected emails only for lawful, consent-aware outreach that respects platform terms and anti-spam rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match common requests about YouTube search, channel info, or influencer research, which can cause the skill to activate in situations beyond narrowly intended email extraction. In this context, over-broad invocation matters because the skill performs contact-data collection and external transmission to a third-party scraping service, increasing privacy and misuse risk when invoked unintentionally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly promotes collecting email addresses and contact information for outreach and lead generation, but provides no warning about privacy expectations, lawful basis, platform terms, or responsible handling of scraped contact data. That omission makes harmful or non-compliant use more likely, especially because the skill targets personal/business contact details at scale.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal