ClawHub

Video Compressor

Security checks across malware telemetry and agentic risk

Overview

This skill mainly prints guidance for using a third-party video compressor, with some confusing legacy script names but no hidden upload, credential access, persistence, or destructive behavior found.

Before installing, note that this is a guidance skill, not a local compressor. Use the primary guide_video_compressor.py script rather than the legacy image/SVG-named scripts, and avoid uploading confidential videos to VideoAny unless you trust that service's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
This script claims to be a backward-compatible legacy entrypoint for image-to-SVG conversion, but it actually invokes video-compressor guidance instead. That mismatch can mislead users, automation, or upstream tooling into running an unrelated capability under a trusted legacy name, which is a supply-chain and operator-trust risk even though it does not itself execute obviously dangerous shell commands here.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Redirecting a script named convert_image_to_svg.py to video-compressor guidance is deceptive behavior because the filename and compatibility message imply preserved semantics that are no longer true. In a skill with shell execution permission, this kind of misdirection is more dangerous because callers may trust the entrypoint name and invoke broader downstream behavior than intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal