ClawHub

Video Crawler

Security checks across malware telemetry and agentic risk

Overview

This video-downloader skill mostly matches its stated purpose, but it ships an unrelated hardcoded API key and lets downloaded files be written to arbitrary user-supplied paths.

Review before installing. Remove the hardcoded API key and rotate it if it is real. Use the tool only for videos you own or are authorized to download, install dependencies from trusted sources, and write outputs only to a dedicated download directory rather than system or configuration paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hardcoded API key is present in source code and is unrelated to the stated purpose of a video crawler, which materially increases suspicion. Embedded credentials can be extracted by anyone with code access and reused for unauthorized API consumption, billing abuse, or access to associated services.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The skill documentation instructs users to run a video crawler that downloads content and writes an output file, but it does not clearly warn that local files will be created and may consume disk space or store potentially sensitive/copyrighted media. This is not an exploit by itself, but it is a real safety/usability issue because users may trigger persistent file writes without informed consent.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code contains an undisclosed hardcoded API credential without any functional need shown by the implementation. In this skill context, that makes the credential exposure more concerning because it suggests secret leakage or hidden capability beyond the stated video-downloading behavior.

Ssd 3

High
Confidence
99% confidence
Finding
The hardcoded credential is a direct secret exposure in source code. Anyone obtaining the file can recover the key, and because the key appears unrelated to the declared functionality, the skill context makes this more dangerous by suggesting accidental leakage or undisclosed external access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal