ClawHub

TubeScribe

Security checks across malware telemetry and agentic risk

Overview

TubeScribe appears built for YouTube summaries, but it needs review because it can automatically start a background agent, process transcript/comment text despite broad local-only privacy claims, and run local TTS environments from user-writable paths.

Install only if you are comfortable with a YouTube URL triggering background processing that fetches captions/comments, writes files locally, generates audio, and may expose transcript/comment text to your active agent or model environment. Review setup.py before accepting optional downloads, avoid private or sensitive videos, and consider changing the workflow to require confirmation before processing a URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Check if a Python package is installed in system Python."""
    import_name = import_name or package
    try:
        result = subprocess.run(
            [sys.executable, "-c", f"import {import_name}"],
            capture_output=True, timeout=10
        )
Confidence
94% confidence
Finding
result = subprocess.run( [sys.executable, "-c", f"import {import_name}"], capture_output=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
venv_python = os.path.join(kokoro_dir, ".venv", "bin", "python")
    if os.path.exists(venv_python):
        try:
            result = subprocess.run(
                [venv_python, "-c", "from kokoro import KPipeline"],
                capture_output=True, timeout=10, cwd=kokoro_dir
            )
Confidence
86% confidence
Finding
result = subprocess.run( [venv_python, "-c", "from kokoro import KPipeline"], capture_output=True, timeout=10, cwd=kokoro_dir )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
python_path, kokoro_dir = get_python_for_kokoro()
    if python_path and kokoro_dir:
        try:
            result = subprocess.run(
                [python_path, "-c", "from kokoro import KPipeline; print('ok')"],
                capture_output=True, timeout=10, cwd=kokoro_dir
            )
Confidence
86% confidence
Finding
result = subprocess.run( [python_path, "-c", "from kokoro import KPipeline; print('ok')"], capture_output=True, timeout=10, cwd=kokoro_dir )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(local_dir)
'''
    try:
        result = subprocess.run(
            [mlx_python, "-c", code],
            capture_output=True, text=True, timeout=15
        )
Confidence
82% confidence
Finding
result = subprocess.run( [mlx_python, "-c", code], capture_output=True, text=True, timeout=15 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(blend_path)
'''
    try:
        result = subprocess.run(
            [mlx_python, "-c", code],
            capture_output=True, text=True, timeout=30
        )
Confidence
82% confidence
Finding
result = subprocess.run( [mlx_python, "-c", code], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
print("OK")
'''
        result = subprocess.run(
            [mlx_python, "-c", code],
            capture_output=True, text=True, timeout=300
        )
Confidence
84% confidence
Finding
result = subprocess.run( [mlx_python, "-c", code], capture_output=True, text=True, timeout=300 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
run_kwargs = {"capture_output": True, "text": True, "timeout": 300}
        if os.path.exists(os.path.join(kokoro_dir, "kokoro", "__init__.py")):
            run_kwargs["cwd"] = kokoro_dir
        result = subprocess.run([kokoro_python, "-c", code], **run_kwargs)

        if result.returncode == 0 and os.path.exists(wav_path):
            if audio_format == "mp3":
Confidence
84% confidence
Finding
result = subprocess.run([kokoro_python, "-c", code], **run_kwargs)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
venv_python = os.path.join(mlx_dir, ".venv", "bin", "python3")
    if os.path.exists(venv_python):
        try:
            result = subprocess.run(
                [venv_python, "-c", "from mlx_audio.tts.generate import generate_audio; print('ok')"],
                capture_output=True, text=True, timeout=15
            )
Confidence
78% confidence
Finding
result = subprocess.run( [venv_python, "-c", "from mlx_audio.tts.generate import generate_audio; print('ok')"], capture_output=True, text=True, timeout=15

subprocess module call

Medium
Category
Dangerous Code Execution
Content
venv_python = os.path.join(kokoro_dir, ".venv", "bin", "python3")
    if os.path.exists(venv_python):
        try:
            result = subprocess.run(
                [venv_python, "-c", "from kokoro import KPipeline; print('ok')"],
                capture_output=True, timeout=10
            )
Confidence
78% confidence
Finding
result = subprocess.run( [venv_python, "-c", "from kokoro import KPipeline; print('ok')"], capture_output=True, timeout=10 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not os.path.exists(python_path):
                continue
            try:
                result = subprocess.run(
                    [python_path, "-c", "from kokoro import KPipeline; print('ok')"],
                    capture_output=True, timeout=10, cwd=loc
                )
Confidence
79% confidence
Finding
result = subprocess.run( [python_path, "-c", "from kokoro import KPipeline; print('ok')"], capture_output=True, timeout=10, cwd=loc

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill exercises sensitive capabilities including shell execution, network access, and file read/write, yet does not declare permissions or clearly gate those actions with user consent. This weakens policy enforcement and informed consent, making it easier for the skill to perform impactful actions such as downloading content, writing files in the home directory, and opening folders without transparent authorization.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes materially beyond summarizing/transcribing YouTube videos: it includes comment extraction, dependency installation/download flows, queue persistence, arbitrary text-to-audio generation, and config management. When a skill's real capabilities exceed its declared purpose, users and policy layers may underestimate risk and permit actions they would not otherwise approve.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation claims network calls are limited to YouTube, but elsewhere states setup may download a yt-dlp binary if missing. This contradiction is security-relevant because operators may rely on the stated boundary and not expect arbitrary third-party downloads, which expands supply-chain and egress risk.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill advertises that no data is sent to external services, yet the MLX model reference indicates use of a remote model source or at least a remote fetch path during setup/use. Even if user content is processed locally, remote model retrieval still creates undeclared network exposure and trust in external artifacts.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill is marketed as a YouTube summarizer/transcriber, but it also exposes a standalone local text-to-audio feature that reads arbitrary files and processes them through multiple TTS backends. That expands capability beyond the advertised scope and can be abused to process sensitive local content or trigger execution paths unrelated to YouTube handling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow writes files into ~/Documents/TubeScribe and opens the folder automatically, but the description does not prominently disclose these local side effects. Hidden or under-disclosed file system changes reduce user awareness and can surprise users in sensitive environments where automatic file creation or GUI actions are not acceptable.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script automatically fetches and stores top YouTube comments alongside transcripts and metadata without explicit notice or consent gating. In a summarization skill, this broadens data collection to third-party user-generated content and may surprise users or violate data-minimization expectations.

Session Persistence

Medium
Category
Rogue Agent
Content
---
8. `## **Full Transcript**` — merge segments, speaker labels, clickable timestamps

### Step 4: Create DOCX
Clean the title for filename (remove special chars), then:
```bash
pandoc <output_path> -o ~/Documents/TubeScribe/<safe_title>.docx
Confidence
83% confidence
Finding
Create DOCX Clean the title for filename (remove special chars), then: ```bash pandoc <output_path> -o ~/Documents/TubeScribe/<safe_title>.docx ``` ### Step 5: Generate audio Write the summary text t

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal