ClawHub

Ai Content Repurposer

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised content repurposing, but users should know that AI-powered mode sends selected content to OpenAI and uses their API key.

Install only from a source you trust, use a dedicated OpenAI API key if possible, and avoid processing confidential, regulated, client, or unpublished content unless you are comfortable sending it to OpenAI. Review any file paths, URLs, batch configs, and output locations before allowing an agent to run the tool.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The quickstart instructs users to set an API key and submit transcripts, blog text, podcast content, and URLs to the tool, but it does not warn that this content may be transmitted to an external AI provider. That can lead users to unknowingly send sensitive proprietary, personal, or unpublished material off-host, creating privacy, confidentiality, and compliance risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to provide blog URLs, transcripts, and an OpenAI API key, but it does not warn that submitted content may be transmitted to external services for fetching and AI processing. Users may unknowingly send proprietary, unpublished, or personal content to third-party systems, creating confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly requires an OpenAI API key and shows API-based transformations, but it does not disclose that user-provided transcripts, blog text, or podcast content may be sent to a third-party AI service. This creates a real privacy and data-handling risk because users may submit proprietary, client, or sensitive material without informed consent or understanding of external transmission.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User-provided or fetched content is sent to the external OpenAI API in _callAI, but there is no explicit user-facing consent, disclosure, or transmission boundary in the code path that fetches and processes third-party blog content. This creates a privacy and data-handling risk, especially if users submit proprietary, private, or regulated content expecting local-only processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal