ClawHub

LovTrip Video to Article

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it turns a user-provided YouTube video into an article using Google Gemini, with no evidence of hidden persistence, local data harvesting, or destructive behavior.

Install only if you are comfortable sending the selected YouTube URL, prompt, and generation request to Google Gemini and using your Gemini API quota. Prefer the included script for the reviewed path; if using the MCP setup, pin and review the lovtrip npm package version before giving it an API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly relies on Google Gemini to analyze YouTube content, but it does not clearly warn users that providing a video URL causes video content and related metadata to be sent to an external third-party service for processing. This creates a transparency and privacy risk: users may unknowingly submit URLs that reveal viewing interests, internal/unlisted content, or sensitive contextual metadata to Google.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends the user-provided video URL and prompt content to Google's Gemini API, which is an external service, without any explicit notice, consent flow, or validation. In a skill context, users may assume processing is local, so this can create an unanticipated privacy and data-handling risk, especially if the supplied URL contains sensitive tokens or points to non-public media.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal