ClawHub

video-merger

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local video-merging skill that uses ffmpeg as disclosed, with ordinary setup and overwrite risks users should understand.

Install only if you want local ffmpeg-based video processing. Review install.sh before running it, use trusted ffmpeg/ffprobe binaries, point the input at only the intended video folder, and choose an output path you are comfortable creating or overwriting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"-c:a", "aac", "-ar", "44100", "-ac", "2",
                output_path
            ]
            subprocess.run(cmd_final, capture_output=True, check=True)

            # 验证输出文件
            if os.path.exists(output_path) and os.path.getsize(output_path) > 0:
Confidence
79% confidence
Finding
subprocess.run(cmd_final, capture_output=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"-c:a", "aac", "-ar", "44100", "-ac", "2",
                output_path
            ]
            subprocess.run(cmd_final, capture_output=True, check=True)

            return True
Confidence
79% confidence
Finding
subprocess.run(cmd_final, capture_output=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""检查依赖是否安装"""
        for tool in [self.ffmpeg_path, self.ffprobe_path]:
            try:
                subprocess.run([tool, "-version"], capture_output=True, check=True)
            except Exception as e:
                raise RuntimeError(f"未找到{tool},请先安装ffmpeg:https://ffmpeg.org/download.html") from e
Confidence
90% confidence
Finding
subprocess.run([tool, "-version"], capture_output=True, check=True)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list is broad enough to match many ordinary video-related requests, which can cause this skill to activate outside its intended niche of segmented short-video merging. Over-broad activation increases the chance an agent routes unrelated user tasks into a tool that performs file-processing operations, creating unnecessary exposure and potentially unsafe or confusing behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer invokes `sudo apt update && sudo apt install -y ffmpeg` without any prior warning, confirmation prompt, or clear disclosure that it will request elevated privileges and modify system packages. While common in setup scripts, this is still risky because users may run it blindly, granting root access to package operations they did not explicitly approve.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal