ClawHub

Video Repurposing Script Generator

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent for turning user-provided videos into social content, but users should be careful with API keys, private recordings, and any publishing integrations.

Install only if you are comfortable configuring OpenAI and YouTube credentials and sending relevant video content or transcripts to those providers. Use it to draft content first, and require explicit confirmation before any connected tool posts, schedules, emails, or notifies others. Keep real API keys out of prompts, shared terminals, screenshots, and source control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The manifest description is very broad and can be triggered by many generic content-creation requests, increasing the chance the skill is invoked when users did not intend video analysis or third-party processing. Over-broad routing is dangerous because it can cause unnecessary handling of user content, links, transcripts, and connected-service data under the wrong skill context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises multiple external integrations and API-backed processing but does not clearly warn users that video content, transcripts, metadata, and possibly personal or business information may be transmitted to third parties. This creates privacy and data-governance risk because users may provide sensitive recordings without informed consent or understanding of where the data is sent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The configuration section includes example secrets, .env guidance, and CLI configuration commands but does not warn against committing keys to repositories, exposing them in logs, or pasting real credentials into prompts and shared terminals. This is dangerous because API keys are high-value secrets that can be stolen through source control, shell history, screenshots, or agent logs, leading to unauthorized API usage and account compromise.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal