ClawHub

LibTV API Skills

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed LibTV media-generation skill that sends prompts and selected media to LibTV and can save generated results locally.

Install only if you want to use LibTV for media generation and trust it with your prompts, API key, and any reference images or videos you provide. Use a dedicated LibTV key if possible, keep the API base URL at the default unless you trust the replacement endpoint, and expect generated media to be saved locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior clearly requires environment access, network communication, and file handling. This mismatch weakens platform trust boundaries because users and policy systems cannot accurately assess what the skill can do before invocation, especially given it uploads files, queries remote APIs, and downloads outputs locally.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger scope is intentionally expansive and says the skill must activate for essentially any AI image or video creation/edit request. Over-broad routing can cause this skill to capture prompts that belong elsewhere, including sensitive file-handling or media-processing requests, increasing the chance of unintended uploads, network calls, and local writes without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to automatically download generated images/videos to local storage after completion, without requiring an explicit user warning or opt-in at the time of write. Automatic local writes create privacy and safety risks because untrusted remote content is persisted on disk, potentially consuming storage, exposing sensitive filenames/paths, or surprising the user with files they did not knowingly approve.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal