ClawHub

YouTube OpenClaw 监控系统

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed YouTube monitoring helper that saves summaries locally and sends reports to Telegram, with privacy caveats but no evidence of hidden or malicious behavior.

Install only if you are comfortable sending transcript-derived reports through Telegram and storing them in youtube-summaries. Avoid monitoring confidential, private, or copyrighted material unless you control the Telegram destination and local file retention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explicitly states that video-derived content will be saved locally and automatically pushed to Telegram, but it does not warn users about the resulting data disclosure, retention, or third-party sharing implications. In a monitoring workflow that processes transcripts and summaries, this can lead to unintentional exposure of sensitive or copyrighted content to local storage, logs, or Telegram recipients.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly sends data to external services (transcriptapi.com and Telegram) and writes output files locally, but it does not warn the user what content will leave the environment or be stored on disk. This can lead to unintended disclosure of searched topics, video metadata, transcripts, summaries, and identifiers, especially in automated cron-based execution where transmission happens without an interactive review step.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal