ClawHub

Films Search

Security checks across malware telemetry and agentic risk

Overview

This movie-resource search skill mostly matches its stated purpose, but it has under-disclosed local file reading and runtime package installation risks that users should review first.

Review before installing. Use it only if you are comfortable with third-party search and scraping for unofficial media links, first-run dependency installation, local caching, and the risk that any search term starting with @ plus a file path could expose that file's contents through the search workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code explicitly defines and extracts magnet links even though the skill metadata says it retrieves cloud-drive resource links. This is a scope mismatch that can cause the agent to return peer-to-peer piracy links or other higher-risk content the user and platform did not consent to receive.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The extraction routine returns magnet results to callers, operationalizing behavior beyond the declared 'net-disk resource links' purpose. In this skill context, which is focused on finding downloadable film resources, that broadening materially increases the likelihood of facilitating infringing or unsafe downloads.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code automatically provisions a Python virtual environment and installs packages at runtime via pip when deep search is used. That is a privileged system-modifying action unrelated to a normal 'search' operation from a user's perspective, and it expands the trust boundary to package indexes and dependency resolution, creating supply-chain and unexpected code-execution risk.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The script invokes external bash and Python programs and forwards broad environment state into those subprocesses. While execFile avoids shell interpolation, this still expands execution capability beyond simple in-process searching and increases exposure to path hijacking, unsafe child scripts, and misuse of inherited environment variables.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrases are broad enough to match common user requests such as asking to find a movie or download link, which can cause the skill to activate unexpectedly. In this context, accidental activation is more concerning because the skill performs network searches and deep crawling of external pages, potentially without the user understanding those side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill does not prominently warn that deep mode visits external pages, follows search results, and performs multi-page crawling, all of which may expose user queries and system network activity to third parties. This is particularly risky here because the skill targets unofficial resource pages and uses deeper scraping techniques, increasing privacy, compliance, and exposure concerns.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill makes persistent system changes by creating a virtual environment and installing dependencies without explicit user consent at the time of execution. Even if intended for functionality, silent installation is dangerous because it surprises operators, alters the host state, and can pull executable code from external sources.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal