ClawHub

Video Captions

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent video-captioning helper with local defaults and clearly optional cloud transcription choices, not a hidden uploader.

Safe to consider for local caption generation. Use the default local Whisper workflow for sensitive media, set cloud API keys only when you intentionally want AssemblyAI or Deepgram to process the audio/video, install dependencies in a trusted environment, and verify quoted input/output paths before running ffmpeg commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This markdown file includes cloud transcription examples for AssemblyAI and Deepgram that send `video.mp4` contents to external APIs, but the section only mentions accuracy and cost. While the earlier local-engine section says 'No Data Leaves Machine', the cloud section does not explicitly warn that media will be transmitted to third parties and may have privacy implications.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Requires DEEPGRAM_API_KEY
curl -X POST "https://api.deepgram.com/v1/listen?model=nova-2" \
  -H "Authorization: Token $DEEPGRAM_API_KEY" \
  -H "Content-Type: audio/mp4" \
  --data-binary @video.mp4
Confidence
60% confidence
Finding
curl -X POST "https://api.deepgram.com/v1/listen?model=nova-2" \ -H "Authorization: Token $DEEPGRAM_API_KEY" \ -H "Content-Type: audio/mp4" \ --data-binary

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Requires DEEPGRAM_API_KEY
curl -X POST "https://api.deepgram.com/v1/listen?model=nova-2" \
  -H "Authorization: Token $DEEPGRAM_API_KEY" \
  -H "Content-Type: audio/mp4" \
  --data-binary @video.mp4
Confidence
50% confidence
Finding
https://api.deepgram.com/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal