ClawHub

Google Free Media Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned for browser-based media generation, but it asks users to reuse a logged-in Google session without enough session-safety boundaries.

Install only if you are comfortable letting reviewed scripts operate with a logged-in Google browser session. Use a dedicated Google account or isolated browser profile, avoid private prompts or images, review the scripts before enabling real automation, and know how to delete any stored cookies, quota logs, and generated metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to log into personal Google services and then use browser automation against them, but it does not warn about session exposure, account actions performed by automation, or privacy implications. In this skill’s context, the stated goal is to obtain free media generation by driving consumer web UIs instead of using official APIs, which increases the risk of misuse of authenticated sessions and unexpected actions on a real account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly recommends persisting browser cookies/session storage so a Google login can be reused. Storing authenticated session material without an explicit warning, consent flow, scope limits, or protection guidance can expose the user's account if those files are stolen, reused by other tasks, or left on shared systems.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill defines automatic output locations for generated media and metadata but does not clearly warn users that files will be written to disk. This can create privacy, data retention, or disk exposure issues, especially on shared hosts or when prompts/metadata contain sensitive information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal