ClawHub
Back to skill

Security audit

DubbingHub

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for video translation, but it can send user videos or video URLs to an external service without clear disclosure or confirmation.

Review before installing. Use it only for videos you are comfortable sending to the third-party processing service, and prefer a version that requires explicit confirmation of the video source, target language, and external upload before any job is submitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs sending user-provided video files or URLs to a third-party service but does not clearly warn the user in the skill description or usage flow that their content leaves the local system and is transmitted externally. This creates a privacy and consent risk, especially because videos may contain sensitive personal, biometric, or confidential business information.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
Defaulting to English when the user does not specify a target language can cause unintended content transformation and disclosure to an external service under assumptions the user did not make. In this skill's context, the issue is not code execution but unsafe default behavior that may produce incorrect outputs, surprise the user, and process sensitive media in a way the user did not explicitly authorize.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill enables implicit invocation without any trigger constraints, exclusions, or confirmation gates. In this context, that can cause the agent to automatically route user content such as video files or URLs to an external third-party translation service, increasing the risk of unintended data exfiltration, surprise tool use, and processing of sensitive media without explicit user consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal