ClawHub

Audio Video

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate ffmpeg helper, but it needs review because it includes screen, camera, microphone, live-streaming, restreaming, and rolling DVR commands without enough privacy, consent, destination, or retention guardrails.

Install only if you are comfortable reviewing generated ffmpeg commands before running them. Use capture, streaming, restreaming, or DVR commands only with consent from affected people, confirm the exact devices, screen region, destination URLs, audience settings, and retention window, and avoid exposing real stream keys in chat, logs, or shell history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill includes screen and webcam capture commands, which expand behavior beyond transforming user-supplied media into recording from live devices. In an agent setting, this can enable unintended collection of sensitive information from the user's screen, microphone, or camera if triggered without explicit, informed consent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list is extremely broad and includes many generic media terms, increasing the chance the skill activates for requests the user did not intend to route to a powerful media-processing capability. In an agent ecosystem, over-broad activation raises the risk of invoking capture, streaming, installation, or file-processing behaviors in inappropriate contexts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents screen and webcam capture plus streaming commands without prominent warnings about recording consent, private data exposure, or accidental capture of sensitive content. This is dangerous because an agent may present or run these commands in contexts where the user has not considered the privacy and legal implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The screen and webcam capture section explicitly enables recording live screen contents, webcams, and audio inputs, but provides no warning about capturing sensitive information such as passwords, private messages, confidential documents, or bystanders. In an agent context, this omission increases the chance that users trigger privacy-invasive capture workflows without informed consent or awareness of the data being collected.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The streaming/restreaming sections describe sending media to RTMP, HLS, DASH, SRT, and multiple external endpoints without warning that content may leave the local machine and be transmitted to third-party services. In a skill intended for agent use, this can lead to accidental disclosure of private or regulated media to remote destinations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal