ClawHub

Captions and Clips from YouTube Link

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward MakeAIClips integration, but it sends YouTube links or uploaded videos to an external service for processing.

Install only if you are comfortable sending YouTube URLs and any uploaded videos to MakeAIClips for remote processing. Keep MAKEAICLIPS_API_KEY private, monitor quota or billing impact, and avoid submitting private, sensitive, regulated, or unauthorized media unless the provider's terms and privacy practices are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The suggested trigger phrase is broad enough that an agent could invoke this skill whenever a user mentions making clips from a YouTube link, without an explicit confirmation that the user wants content sent to a third-party service. In an agent setting, overly permissive invocation increases the chance of unintended execution and unintended disclosure of URLs or related metadata to the external API.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README states the agent will submit jobs, poll progress, and return download links, but it does not clearly warn users that the YouTube URL and associated processing data are transmitted to an external service. This omission weakens informed consent and can cause privacy, compliance, or trust issues when the agent handles user-provided content automatically.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is overly broad and includes catch-all phrasing like 'anything related to AI video clipping,' which can cause the agent to invoke this skill in contexts the user did not clearly intend. That increases the chance of sending user-provided URLs or media to a third-party service unnecessarily, creating privacy and data-sharing risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document states that users can upload files and that the service performs transcription and clip selection, but it does not clearly warn that video/audio content, transcripts, and derived clips are sent to and processed by a third party. Users may unknowingly expose sensitive or copyrighted material because the privacy implications for uploaded media and transcribed content are not made explicit.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal