ClawHub
Back to skill

Security audit

Parse Video - 视频去水印

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do video parsing as described, but first use downloads and runs an unverified native executable from a mutable remote repository.

Install only if you trust the publisher and the referenced Gitee repository. Treat first use as running third-party native code on your machine, preferably in a constrained environment, and avoid starting the HTTP service unless you have verified it binds only to localhost and is not reachable from untrusted networks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes shell scripts and platform binaries but does not declare corresponding permissions or clearly communicate that it will execute local commands. This creates a trust and review gap: users and hosting systems may authorize a seemingly simple parsing skill without realizing it has code-execution capability.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The README presents the tool as '安全可靠' and '仅本地运行' while also documenting that it will automatically download a closed-source platform-specific executable on first use. That is a misleading trust signal: users may believe no remote code retrieval occurs, when in fact unverified executable code is fetched and later run locally, increasing supply-chain and social-engineering risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill states that first use automatically downloads a platform-specific binary from a remote Gitee source and then executes it. Download-and-execute behavior is a major supply-chain risk because a compromised source, tampered artifact, or man-in-the-middle issue could lead to arbitrary code execution on the user's machine.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
Exposing a local HTTP service and Web UI increases the attack surface beyond simple link parsing. Even if intended for convenience, a local server can introduce risks such as unintended network exposure, CSRF-like interactions from the browser, weak binding defaults, or abuse by other local processes if not carefully constrained.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script's advertised purpose is parsing video links, but it also fetches an executable from a remote Git repository and runs it locally. That creates a supply-chain and arbitrary code execution risk: if the repository, branch, transport path, or copied binary is compromised, users will execute attacker-controlled code under their own account.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The function clones or updates a remote repository, copies a binary from dist/, marks it executable, and immediately runs it later in the script. This is direct remote code acquisition and execution without integrity verification, commit pinning, or provenance checks, so compromise of the repo or branch can lead to full execution of malicious payloads.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script downloads code from an external Git repository at runtime and immediately executes the retrieved platform-specific binary without any integrity pinning, signature verification, or reproducible build validation. This creates a supply-chain execution path where compromise of the repository, branch, transport, or maintainer account can lead to arbitrary code execution on the host.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This is a stronger instance of the same issue: the skill bootstraps itself by cloning a remote repository, selecting a binary based on platform, copying it locally, marking it executable, and running it. Because the binary origin is mutable (branch-based) and unauthenticated beyond Git transport, an attacker who can influence that repository or its delivery can obtain arbitrary execution with the permissions of the user running the skill.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance says users can 'directly send a video link' for automatic parsing, which is broad enough to trigger on normal link-sharing conversations. In an agent skill context, overly permissive triggers can cause unintended execution, unexpected network activity, and automatic binary download/execution from benign user messages.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents automatic binary download but does not clearly warn users at the point of use that network retrieval and a local executable write will occur. For a closed-source binary, this reduces informed consent and increases the chance users unknowingly allow remote code delivery into their environment.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The README advertises starting an HTTP service without warning whether it binds only to localhost, what port exposure occurs, or what data/actions the endpoint permits. In agent and desktop environments, undocumented local services can expand the attack surface and may become remotely reachable if misconfigured.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The caution section omits the most relevant operational risk: automatic download of a closed-source executable and writing it to a local cache. Omitting that from the safety notes makes the skill context more dangerous because this is an agent-integrated tool that may be triggered by user content, so transparency about code retrieval and execution is especially important.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list is very broad, including generic phrases like '下载视频', '解析链接', and English variants that may match common user requests unrelated to this specific skill. Overbroad activation can cause the agent to invoke a higher-risk skill unexpectedly, increasing the chance of unintended script execution, binary downloads, or exposure to untrusted URLs.

Missing User Warnings

High
Confidence
96% confidence
Finding
The description presents the skill as a video parsing utility but omits a critical behavior: first use downloads and executes a platform-specific binary. This lack of upfront disclosure prevents informed consent and materially understates the security implications of using the skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs network access and executes downloaded code but only presents it as a normal first-use download, without clearly warning that executable code from a remote repository will be run. This weakens informed consent and increases the chance users will run untrusted code they would otherwise scrutinize.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal