ClawHub

AI Video Upscale

Security checks across malware telemetry and agentic risk

Overview

This video-upscaling skill is mostly coherent, but its shell script has unsafe command handling that could let crafted input run local commands.

Use Review-level caution. Install only if you trust the publisher and can patch or constrain the script first: sanitize JOB_ID to a safe character set, quote the trap cleanup safely, avoid attacker-controlled job IDs, and verify the downloaded upscaling binaries before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list is broad enough to match many ordinary user requests such as 'enhance' or 'improve quality', which can cause the skill to activate in situations the user did not intend. Over-broad activation increases the chance of incorrect tool invocation, unintended processing of user files, and confusing or unsafe agent behavior when multiple skills could match the same request.

Vague Triggers

Low
Confidence
82% confidence
Finding
The example prompts are vague and reinforce activation on underspecified phrases like 'Upscale this' or 'Make this 4K' without clarifying that the input must be a video. This can bias an agent toward invoking the skill on ambiguous requests, increasing accidental activation and misuse rather than representing a direct code-execution flaw.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list contains very generic phrases such as "upscale," "enhance," and "improve quality," which are common in normal user requests and can cause the skill to activate outside narrowly intended video-upscaling contexts. In an agent system, unintended activation can route user input into this skill unexpectedly, causing inappropriate tool use, confusion, or execution of processing workflows on the wrong content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal