ClawHub
Back to skill

Security audit

subtitle-converter

Security checks across malware telemetry and agentic risk

Overview

This skill is a local subtitle conversion utility with file access that matches its stated purpose.

Installers can treat this as a normal local file utility. Use it only on subtitle files and directories you intend to process, and choose output paths carefully because explicit outputs can replace existing files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad everyday phrases such as '字幕格式' and '字幕合并', which can cause the skill to activate in loosely related conversations. Overbroad activation increases the chance that the agent invokes file-processing behavior unexpectedly, potentially operating on user files when the user did not clearly intend to use this skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal