ClawHub

Clip Media

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly transparent about media downloads and public uploads, but its script builds shell commands from user-supplied URLs, creating a serious local command-injection risk.

Install only if you trust the publisher and understand that downloaded media may be sent to public file hosts. Avoid private, paid, confidential, or regulated content. The script should be fixed to call yt-dlp and curl without a shell before broad use with arbitrary URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically uploads downloaded media to third-party file-sharing services (tmpfiles.org/transfer.sh) when size thresholds are met or when upload flags are used, but it does not provide an explicit privacy/security warning about external transmission, retention, or trust boundaries. In an agent/skill context, users may expect local handling only, so silent exfiltration of downloaded content to external services can disclose sensitive or copyrighted material.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script suggests using `yt-dlp --cookies-from-browser chrome <url>` to bypass authentication limitations, which directs users toward accessing browser-stored session cookies without any warning about the sensitivity of those credentials. While it does not itself extract cookies, normalizing this guidance in a skill increases the chance that privileged browser auth data will be exposed, mishandled, or used in unsafe environments.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal