ClawHub

Video Narration

Security checks across malware telemetry and agentic risk

Overview

This video narration skill appears useful, but it can send videos and broad prompts to a remote service without sufficiently clear consent boundaries.

Review before installing. Use it only with videos you are comfortable sending to the provider's cloud service, and require explicit confirmation before upload, session creation, or sending ambiguous prompts. Avoid private, regulated, or proprietary footage unless the provider's privacy and retention practices are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The skill instructs the agent to inspect local installation-path context to derive attribution headers, which introduces unnecessary access to host filesystem context unrelated to processing a user video. Even if limited to path detection, this normalizes local environment inspection and can leak installation details or expand the skill's effective data-access surface beyond user expectations.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Routing 'Everything else' to the SSE action is overly broad and can cause the skill to capture unrelated user requests, sending unintended prompts or content to the remote backend. In this context, the skill already uploads data to a third-party service, so overmatching increases the risk of accidental data disclosure and unexpected remote processing outside the user's intended narration task.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells users to send videos and emphasizes cloud GPU processing, but it does not provide a clear, upfront privacy warning that media files and prompts are uploaded to a remote service. For a media-processing skill handling potentially sensitive videos, lack of explicit disclosure undermines informed consent and can expose private content to third-party processing unexpectedly.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal