ClawHub

video-frame-extractor

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward video frame extraction guide, with expected FFmpeg setup and file-output cautions but no hidden code or unrelated data access.

Install only if you are comfortable letting an agent run FFmpeg on videos and write extracted frames to a selected folder. Do not let it install FFmpeg or change PATH automatically on a managed or shared machine unless you approve that setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill includes system-level package installation and PATH modification instructions that go beyond its stated purpose of extracting frames from videos. In an agent setting, these commands can cause unauthorized environment changes, expand execution scope, and create supply-chain or persistence risks if followed automatically or without explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill goes beyond frame extraction by directing the agent to install FFmpeg via package managers and, on Windows, modify PATH. Those actions change the host environment and may require elevated privileges, which is broader than the minimum capability needed for a task-specific skill and increases the risk of unintended system modification.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The skill instructs the agent to write many image files to disk without clearly warning the user about filesystem side effects such as directory creation, disk usage, clutter, or overwriting existing outputs. In an agent setting, silent bulk file creation can surprise users and, if paths are user-influenced, can lead to unintended modification of local directories.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal