ClawHub

YouTube-Hook

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent YouTube content-planning helper with a disclosed optional Tavily trend lookup, not evidence of hidden or malicious behavior.

Install if you are comfortable with the optional trend-analysis helper sending topic queries to Tavily using your Tavily API key. Avoid using confidential drafts, private launch plans, or sensitive personal topics with trend lookup unless you are comfortable sharing that query with Tavily.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares access to an environment variable and indicates supporting scripts/files, yet it does not explicitly declare permissions while still implying network-capable behavior. This creates a transparency and consent problem: users may invoke a content-generation skill without realizing it can access secrets or make outbound requests, which can lead to unexpected data exposure or secret misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a generator for YouTube assets, but the implementation reportedly also uses the Tavily search API and reads TAVILY_API_KEY from the environment. That mismatch is dangerous because users may provide proprietary drafts, business plans, or unpublished content expecting local transformation, while the skill may transmit that content to a third party without clear disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal