ClawHub

Video Notes

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the advertised YouTube media-processing work, but it can modify the host Python environment at runtime and does not clearly disclose or scope that behavior.

Review before installing. This does not look malicious from the supplied evidence, but it can download media, write local files, invoke media tools, and install a Python package into the host environment during use. Prefer a version that declares its permissions, preinstalls or pins yt-dlp, removes --break-system-packages, and clearly documents network access, disk usage, and cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        import yt_dlp  # noqa
    except ImportError:
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "yt-dlp", "-q", "--break-system-packages"],
            stderr=subprocess.DEVNULL,
        )
Confidence
89% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "yt-dlp", "-q", "--break-system-packages"], stderr=subprocess.DEVNULL, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        import yt_dlp  # noqa
    except ImportError:
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "yt-dlp", "-q", "--break-system-packages"],
            stderr=subprocess.DEVNULL
        )
Confidence
97% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "yt-dlp", "-q", "--break-system-packages"], stderr=subprocess.DEVNULL )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes local Python scripts, writes outputs under /tmp, reads templates/assets, and executes shell commands, but the manifest shown does not declare corresponding permissions. Undeclared capabilities reduce transparency and can bypass user or platform expectations about what the skill is allowed to do, especially when shell execution and file I/O are involved.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Installing a Python package at runtime is an environment-modifying action that exceeds the expected scope of a subtitle-extraction helper. This creates supply-chain exposure, can break system packages due to --break-system-packages, and makes the skill's behavior depend on network access and mutable external package state.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The README advertises fetching YouTube content, extracting subtitles, taking screenshots, and producing a self-contained HTML file, but it does not clearly disclose that the skill performs network access, may auto-install tools, and writes artifacts to local storage. This is dangerous because users may invoke the skill without informed consent about outbound requests and file creation, which can create privacy, compliance, and operational surprises in restricted environments.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill directs downloading video segments, processing them with ffmpeg, and writing temporary files without clearly warning the user about network activity, disk writes, or local media handling. While expected for the feature, the lack of disclosure can surprise users, create privacy concerns, and cause unintended resource consumption on the host.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal