ClawHub

Upload Video Converter

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk instruction-only advisory skill, though its video-converter name overstates what it actually does.

Install only if you want a generic checklist for thinking through video upload or compatibility decisions. It will not convert, transcode, validate, or upload video files by itself, so use a separate trusted media tool for actual file processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a video conversion/upload capability, but its body contains only a generic decision-support workflow and no concrete conversion, upload, or file-handling procedures. This mismatch can misroute users and agents into invoking the skill for requests outside its real capability, creating deceptive behavior and increasing the chance of unsafe delegation, incorrect automation, or operator trust in nonexistent functionality.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation explicitly markets the skill as a video converter, while the detailed steps only describe generalized operational analysis and templated output generation. That inconsistency is dangerous because downstream systems or users may rely on the advertised capability and receive fabricated or irrelevant guidance, undermining security boundaries, capability routing, and trust in skill metadata.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description uses broad activation language such as 'use when you need help with video conversion for compatibility and uploads,' but the rest of the file is generic enough to match many loosely related operational requests. Overbroad triggers can cause inappropriate invocation, accidental context capture, and skill overreach, especially when combined with misleading capability claims.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal