ClawHub

AV Skill

Security checks across malware telemetry and agentic risk

Overview

This audio/video skill is coherent with its stated purpose and shows no hidden or destructive behavior, but its dependency and privacy disclosures are thin.

Install in a virtual environment, consider pinning and auditing dependencies before use, and avoid sensitive media, private URLs, or confidential TTS text unless you understand which operations are local and which may contact external services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that the skill handles URLs and requires internet connectivity for some features, but it does not warn users that media files, text, or metadata may be transmitted to remote services. In a multimedia-processing skill, this can expose sensitive local content or user prompts to third parties, especially for URL fetching and cloud-backed TTS features.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Audio and video processing libraries
pydub
moviepy
opencv-python
Confidence
96% confidence
Finding
pydub

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Audio and video processing libraries
pydub
moviepy
opencv-python

# Text-to-speech
Confidence
96% confidence
Finding
moviepy

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Audio and video processing libraries
pydub
moviepy
opencv-python

# Text-to-speech
gTTS
Confidence
98% confidence
Finding
opencv-python

Unpinned Dependencies

Low
Category
Supply Chain
Content
opencv-python

# Text-to-speech
gTTS

# General utilities
requests
Confidence
94% confidence
Finding
gTTS

Unpinned Dependencies

Low
Category
Supply Chain
Content
gTTS

# General utilities
requests
 Pillow
Confidence
97% confidence
Finding
requests

Known Vulnerable Dependency: opencv-python — 10 advisory(ies): CVE-2017-12864 (Integer Overflow or Wraparound in OpenCV); CVE-2017-12598 (Out-of-bounds Read in OpenCV ); CVE-2019-14493 (NULL Pointer Dereference in OpenCV.) +7 more

High
Category
Supply Chain
Confidence
86% confidence
Finding
opencv-python

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
requests

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
92% confidence
Finding
Pillow

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal