ClawHub

gnview-script-extraction

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it uploads a user-selected MP4 to VolcEngine ARK for analysis, so the main risk is sharing private video content or an API key.

Use this only for videos you are comfortable sending to VolcEngine ARK, and avoid personal, confidential, regulated, or third-party content unless you have permission. Protect the ARK API key, consider using a limited-scope key, and install dependencies in a trusted Python environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'files' from open (line 17, file read) → requests.post (network output)

High
Category
Data Flow
Content
}
    
    try:
        response = requests.post(url, headers=headers, files=files, data=data)
        response.raise_for_status()
        result = response.json()
        if "error" in result or ("Error" in result and "Message" in result["Error"]):
Confidence
97% confidence
Finding
response = requests.post(url, headers=headers, files=files, data=data)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation describes commands that perform networked upload of local files and execute a Python script, but it does not declare corresponding permissions. This creates a transparency and governance gap: users or platforms may not realize the skill can transmit local data externally and invoke shell-based execution, increasing the risk of unintended data exposure or unsafe deployment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to upload local video files to an external analysis service but does not prominently warn that potentially sensitive video content will leave the local environment. Videos may contain faces, voices, screens, location clues, or other personal/confidential information, so omission of a clear privacy notice can lead to accidental disclosure to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code uploads local video data to a remote service without any explicit disclosure or interactive warning at the point of transmission. In a local automation or agent context, users may assume processing is local, so silent transfer of potentially sensitive recordings increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The analysis step sends the uploaded video reference and user-supplied prompt text to an external API, again without explicit disclosure in the execution flow. Prompts can contain sensitive operational or personal information, so transmitting them off-host can create confidentiality and policy issues.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal