ClawHub

Video Reverse Prompt

Security checks across malware telemetry and agentic risk

Overview

This skill sends user-selected videos or video links to NanoPhoto.AI for reverse-prompt analysis, which matches its stated purpose.

Install only if you are comfortable sending selected video URLs, local MP4 contents, filenames, and related request data to NanoPhoto.AI for processing. Configure NANOPHOTO_API_KEY through the platform's secure environment-variable settings, avoid uploading sensitive or unauthorized media, and remember that each API call may consume service credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill clearly instructs the agent to read local files and make outbound network requests, but it does not declare corresponding permissions or an explicit capability boundary. This creates a transparency and governance problem: users and platforms may not realize the skill can access local video files and transmit them to a third-party service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill lacks a prominent privacy warning that supplied URLs and local MP4 content are uploaded to an external service for analysis. Users may provide sensitive or copyrighted media without understanding that the data leaves the local environment and is processed by a third party.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script base64-encodes the entire local MP4 and transmits it to a third-party API, but it does not provide an explicit runtime warning or confirmation that the full file contents will leave the local machine. In a skill that processes user-supplied videos, this matters because videos may contain sensitive personal, proprietary, or regulated content, and users may assume local-only analysis unless clearly told otherwise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal