ClawHub

Subtitle Generator Ai Free

Security checks across malware telemetry and agentic risk

Overview

This looks like a subtitle-focused skill that can route broad video-editing and media-ingestion requests to a cloud backend more widely than users would expect.

Install only if you are comfortable with your media, URLs, and editing instructions being sent to the provider's cloud backend. Treat it as a broader video editing service, not just a subtitle tool, and avoid uploading sensitive or private footage unless the publisher clarifies scope, confirmation steps, and data handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a narrow subtitle generator, but the documented routing and backend capabilities expose a much broader cloud video editing pipeline. This scope mismatch can mislead users and host systems into granting trust, data access, or invocation opportunities beyond what the manifest suggests, increasing the chance of unintended media manipulation actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill accepts URL-based imports and multiple non-video/media asset types beyond the stated video subtitle workflow. Hidden support for broader asset ingestion expands the attack surface for unexpected data handling, remote content ingestion, and capability abuse that users would not reasonably infer from the manifest.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Very broad example phrases like 'generate my video files' or 'export 1080p MP4' can match common user language and trigger the skill in contexts where the user did not intend to invoke it. This raises the risk of accidental cloud uploads, processing, or export actions on user media without sufficiently specific confirmation.

Vague Triggers

High
Confidence
97% confidence
Finding
The routing rule sends essentially all remaining requests, including generic editing intents, to the SSE backend via a catch-all condition. In a skill advertised for subtitle generation, this creates a high risk of overbroad invocation and unintended execution of backend media-editing operations outside the user's expected scope.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal