ClawHub

Video Sourcing Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for a video-sourcing runtime, but users must trust the external code it downloads and runs locally with API keys.

Install only if you trust Memories.ai Labs and the external video-sourcing runtime it fetches. Use restricted Google and YouTube API keys, watch quota or billing exposure, and prefer explicit /video_sourcing invocations when you want tighter control over when local host execution occurs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script is presented as a concise runner, but on first use it clones a remote GitHub repository and installs its dependencies, materially expanding the trust boundary. Even though the repo URL and tag are pinned, this still executes externally sourced code and performs networked installation at runtime, which is risky for a skill wrapper and should be explicitly disclosed and constrained.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The runner requires GOOGLE_API_KEY and YOUTUBE_API_KEY despite being described as a deterministic chat UX wrapper, indicating it handles sensitive credentials beyond a minimal wrapper role. Requiring secrets increases blast radius because the bootstrapped runtime and any of its dependencies gain access to those credentials at execution time.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The free-form triggering criteria are broad enough that the skill may activate on ordinary requests for analysis whenever the user mentions video trends, creators, or brand analysis. Because this skill explicitly expects host execution and may auto-bootstrap external code plus use API-key-backed services, overbroad activation can cause unintended code execution, network access, and data disclosure beyond what the user clearly intended.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it expects host runtime execution and can auto-bootstrap a pinned runtime, but it does not present a clear user-facing warning about local execution, downloading external code, and use of required API-key-based external services. This weakens informed consent and can lead users to unknowingly authorize execution on the host, outbound network activity, and use of sensitive credentials.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script silently removes the managed release directory when it finds an unexpected state, without warning or confirmation. While the path is derived from fixed internal locations, this behavior can still destroy local files in that managed path and makes recovery/auditing harder, especially if the directory was modified or pointed somewhere unsafe through environment-controlled base paths.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script clones code from a remote repository and installs dependencies automatically, without user-facing disclosure of network activity or local file changes. In a security-sensitive agent environment, this is dangerous because it enables execution of remote code and package resolution logic at runtime, broadening supply-chain risk and making behavior differ between initial and later runs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script requires sensitive API keys but provides no disclosure about how those credentials will be used by the bootstrapped agent runtime. Given that the script also downloads and executes external code, undisclosed secret usage is especially risky because users may assume a thin wrapper while their credentials are exposed to a much larger codebase.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal