ClawHub

Dub YouTube with Voice.ai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent YouTube voiceover skill that sends chosen script text to Voice.ai and uses local ffmpeg tooling as expected for its purpose.

Install only if you are comfortable sending your selected script text to Voice.ai or to an endpoint you explicitly configure with VOICEAI_API_BASE. Use a dedicated, revocable API key, avoid sensitive or regulated scripts unless approved, keep VOICEAI_API_BASE unset unless you intentionally need it, and review generated ffmpeg helper scripts before running them manually.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly describes sending user-provided text to a remote third-party TTS service but does not warn that scripts, captions, or other content leave the local environment and are processed externally. In a workflow for dubbing YouTube content, users may submit unpublished scripts or sensitive material, so the lack of disclosure can lead to inadvertent privacy, confidentiality, or compliance exposure.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The tool sends user-provided script text, voice identifiers, and related parameters to a remote Voice.ai API, but the code provides no in-product privacy notice or explicit consent checkpoint at the transmission point. In a dubbing skill, this is contextually important because scripts may contain unpublished content, PII, or confidential material, so silent exfiltration to a third party can create real data exposure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal