ClawHub

gallery-dl

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward gallery-dl helper, with the main caution that its authentication examples can expose passwords if used as written.

Install only if you intend to use gallery-dl for downloading galleries. Avoid passing passwords on the command line, protect any .netrc or config files with restrictive permissions, consider a virtual environment and pinned package version, set download limits for large galleries, and respect site terms and copyright rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends passing usernames and passwords directly on the command line without warning that command-line arguments can be exposed via shell history, process listings, logs, and telemetry. This can lead to unintended credential disclosure on multi-user systems or in monitored environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script accepts username and password directly on the command line, which can expose secrets through shell history, process listings, audit logs, and orchestration telemetry. In an agent/skill context, these arguments may also be persisted in task logs or passed through higher-level systems, increasing credential exposure risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal