ClawHub

TikTok Clipper

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the advertised video clipping work, but it automatically modifies the Python environment and sends audio to OpenAI during transcription.

Review before installing. Use a virtual environment, preinstall and pin the OpenAI dependency yourself, use a dedicated OpenAI API key, avoid sensitive or regulated audio unless third-party transcription is acceptable, and clean up temporary audio, transcripts, and generated clips after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        from openai import OpenAI
    except ImportError:
        subprocess.run([sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", "openai"], check=True)
        from openai import OpenAI

    client = OpenAI(api_key=os.environ.get("OPENAI_API_KEY"))
Confidence
88% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", "openai"], check=True)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script conditionally installs the openai package at runtime, which causes network access and arbitrary third-party package installation as a side effect of transcription. This is risky because it executes code outside the documented business logic and can be abused through dependency confusion or repository compromise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly states it uses the OpenAI Whisper API for transcription, which means user video/audio content is transmitted to a third-party service, but it does not warn the user about that data transfer. This can expose sensitive spoken content, background audio, or personal information without informed consent, especially when users may assume processing is local.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code uploads local audio content to an external API without any explicit user-facing notice, consent check, or data-handling disclosure. In a transcription tool, this matters because the inputs may contain sensitive voice, business, or personal information that leaves the local system unexpectedly.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal