ClawHub

短视频下载器(红狐数据)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Redfox API video downloader with privacy, credential, and copyright-use caveats, but no hidden or destructive behavior was found.

Install only if you are comfortable sending media links and any Redfox API key you use to redfox.hk. Prefer environment variables or a secure secret store for your own key, avoid plaintext config on shared machines, and download or reuse only content you own or are authorized to save.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script embeds a reusable third-party API key directly in source code, which exposes the key to anyone who can read or redistribute the skill. Hard-coded credentials are dangerous because they can be abused by unrelated parties, exhausted, revoked, or attributed back to this tool's operator, creating service abuse and supply-chain trust issues.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that shared video links and a user-bound API key are sent to redfox.hk for parsing, but it does not clearly warn users that their input and associated account-linked identifiers are transmitted to a third party. This creates privacy and data-governance risk, especially because the key is tied to user identity (vid).

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill prominently promotes downloading watermark-free media, backups, and reuse for secondary creation without warning about copyright, authorization, terms-of-service, or creator-rights implications. In context, this materially increases the risk of misuse by encouraging potentially infringing acquisition and redistribution workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The presentation repeatedly promotes downloading third-party platform content, including watermark removal and reuse for secondary creation, but provides no warning about copyright, authorization, platform terms, or privacy implications. In this skill context, that omission materially increases misuse risk because the feature set is explicitly designed to obtain and locally save protected content from external services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal