ClawHub

Video Download Transcribe

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for video download and transcription, but it needs Review because pasted video links can trigger downloading and analysis while transcripts or frames may be sent to external services without a clear consent gate.

Install only if you are comfortable with this skill downloading videos, running local media tools and browser automation, caching models, and potentially sending links, transcripts, or extracted frames to third-party services. Avoid private, confidential, copyrighted, or account-sensitive videos unless you have verified the referenced helper scripts, API settings, storage locations, and how to delete generated files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger conditions are broad enough that ordinary conversation or simply pasting a supported URL will auto-activate a workflow that downloads media and performs local or remote analysis. In this skill, activation can lead to file writes, model downloads, network requests, and possible transmission of URLs or extracted content to third-party services, so accidental invocation has meaningful privacy and safety consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill clearly instructs downloading videos to local paths like /tmp and producing transcript artifacts, but it does not prominently warn users that local files will be written and may persist if cleanup is not performed. In a media-processing skill, silent local storage increases the risk of exposing sensitive videos, transcripts, or derived analysis to other local users, backups, or later processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The visual-enhancement and multi-platform workflow relies on remote services such as TikHub, Hugging Face model downloads, and MiniMax image understanding, yet the documentation does not clearly disclose that video URLs, transcript text, or extracted frames may be sent off-device. Because video content can contain personal, confidential, or copyrighted material, undisclosed transmission to third parties materially increases privacy and compliance risk.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The document notes that first-time use needs network access to fetch models, but it does not present this as a prominent user warning near activation or setup. Unexpected outbound requests can violate user expectations in restricted or sensitive environments, especially when users believe transcription is purely local.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal