ClawHub

Video Translator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward video translation connector that clearly uses a remote service and an API key, with no evidence of hidden persistence, unrelated data access, or destructive behavior.

Install only if you are comfortable sending the selected video file or URL, plus the service API key, to audiox-api-global.luoji.cn for processing. Avoid using it for confidential, regulated, or copyrighted media unless you trust the provider's privacy and retention practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that user-provided videos are uploaded to a third-party remote service and that an API key is sent for authorization, but it provides no user-facing warning about external data transfer, retention, or privacy implications. Because videos may contain faces, voices, documents, or other sensitive content, the lack of disclosure can cause users or downstream agents to transmit sensitive data off-platform without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends user-provided video files or remote video URLs to a third-party service, but the user-facing description does not clearly warn that their content will leave the local environment for external processing. This is dangerous because videos may contain sensitive personal, confidential, or copyrighted material, and users may provide them without informed consent about third-party transfer.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill silently defaults the target language to English when the user does not specify one, which can cause it to perform an external translation action different from the user's actual intent. In context this is less severe than direct code-execution issues, but it still creates consent and integrity problems because the skill may transform and transmit content under assumptions the user did not approve.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill allows implicit invocation without any trigger phrases or activation constraints, which means the agent may call an external video translation service based only on loose intent matching. Because this skill can send user-provided video files or URLs to a third-party domain, unintended activation can cause unauthorized data disclosure, unnecessary external requests, and surprise charges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal