ClawHub

Vimeo Locked-Embed Caption Extraction

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about what it does, but its main purpose is to bypass Vimeo domain/privacy restrictions to extract captions.

Install only if you will use it for videos and captions you are authorized to access. This may violate a publisher's privacy settings, terms, copyright expectations, or paywall restrictions; prefer an official transcript, permission from the publisher, or Vimeo-supported access where available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly describes a method to extract captions from domain-restricted Vimeo embeds by using the correct Referer header and a leaked signed captions URL, which is effectively guidance for bypassing an access-control/privacy restriction. Even if the goal is only transcript extraction, this normalizes unauthorized access to content made intentionally unavailable outside approved domains and omits any warning to verify authorization or comply with the site owner's terms.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users how to obtain captions from a Vimeo embed that is protected by domain-restriction/privacy controls by supplying a matching Referer and extracting a signed captions URL. Even though it targets transcript access rather than video playback, it still provides a method to bypass the practical effect of the publisher's access restrictions, creating privacy, compliance, and terms-of-service risk without any warning or authorization check.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal