ClawHub

Youtube Summarizer

Security checks across malware telemetry and agentic risk

Overview

This video summarizer broadly does what it claims, but it needs review because it can automatically use Chrome browser cookies and send transcript content to external LLM services.

Install only if you are comfortable with a video tool that can read Chrome cookies for Bilibili downloads and transmit transcript text to external LLM providers. Prefer a dedicated browser profile or cookie file, set an explicit trusted LLM provider, avoid private or sensitive videos, and review setup.sh before installing dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tainted flow: 'url' from requests.get (line 114, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
def _download_caption(url: str) -> Optional[str]:
    try:
        import requests
        r = requests.get(url, timeout=15)
        if r.status_code == 200 and r.text.strip():
            return r.text
    except Exception:
Confidence
83% confidence
Finding
r = requests.get(url, timeout=15)

Tainted flow: 'api_url' from os.environ.get (line 519, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
}
        if api_key:
            headers["Authorization"] = f"Bearer {api_key}"
        response = requests.post(
            api_url,
            headers=headers,
            json={
Confidence
95% confidence
Finding
response = requests.post( api_url, headers=headers, json={ "model": model, "messages": [{"role": "user", "content": prompt}]

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises substantial capabilities—environment access, filesystem read/write, network access, and shell execution—but does not declare permissions or provide an explicit trust boundary. That makes it harder for operators to evaluate what the skill can touch, increasing the risk of unintended access to local files, secrets, or external systems when the skill is invoked.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill accesses Chrome browser cookies to download Bilibili content, which grants it credential-access capability beyond simple summarization. In this context, reading host browser cookies is especially dangerous because it touches highly sensitive session material that could be abused or exposed if the tool or dependencies are compromised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code enumerates multiple environment tokens and uses them across several external AI backends, expanding the skill's access to host secrets beyond the narrow summarization task. This broad secret harvesting materially increases blast radius if the skill is misused, misconfigured, or pointed at hostile services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly documents that transcripts and summaries may be sent to external LLM providers, including anonymous free-tier services, but does not prominently warn users that video-derived content may leave the local environment. In an agent skill context, this can cause unintentional disclosure of sensitive or proprietary transcript data to third parties, especially when users assume summarization is local or do not realize fallback behavior changes the data destination.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Bilibili section states that processing uses Chrome cookies to bypass anti-scraping protections, but the skill description does not present this as a sensitive action or warn that browser session cookies may be accessed. Reading browser cookies can expose authenticated session material and may broaden access beyond the requested video, especially on a multi-user or sensitive workstation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill says summaries may be generated via LLM APIs and later notes it may attempt anonymous/free Pollinations calls, but it does not clearly warn upfront that extracted transcripts and metadata may be sent to third-party services. This can leak video content, transcripts, channel data, or user-provided URLs to external providers without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Accessing browser cookies without an explicit user-facing warning is a significant transparency and consent failure. In a summarization skill, hidden access to session cookies is more dangerous because users would not reasonably expect credential material to be read as part of normal operation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill transmits video transcripts to third-party LLM services without a clear warning or consent flow. Transcripts may contain copyrighted, private, regulated, or sensitive content, so undisclosed external transmission creates a real confidentiality and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal