ClawHub

Video Proof

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate proof-recording tool, but it gives generated specs broad command, network, recording, and artifact-sharing authority with limited guardrails.

Install only if you intend to use it in trusted repositories and are comfortable reviewing generated specs before execution. Treat `start_command`, `start_port`, `base_url`, `goto`, and API request fields as sensitive authority; avoid authenticated, production, or secret-bearing pages unless you have reviewed the workflow, and inspect/redact `proof-artifacts/` before committing or sharing. Run setup only when you accept npm, Playwright, browser dependency, and possible system package changes on that machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script’s stated purpose is API proof generation, but it also accepts a user/spec-controlled `start_command` and runs it as a local process. In an agentic workflow, that expands the skill from evidence collection into arbitrary code execution, which is dangerous because proof specs or task inputs may be adversarial or indirectly influenced by untrusted data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Using `spawn('sh', ['-c', spec.start_command])` gives the skill arbitrary shell execution with full shell parsing, expansion, chaining, and redirection. In a coding-agent context this is especially risky because the command can come from CLI args or YAML spec content, so a malicious repo or task artifact could cause unintended command execution, data exfiltration, or destructive local actions under the agent’s privileges.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script directly executes `spec.start_command` via `spawn('sh', ['-c', spec.start_command], ...)`, and that value can come from a YAML proof spec or CLI input. This gives whoever controls the spec or invocation the ability to run arbitrary shell commands on the host, which is especially risky in an agent workflow where specs may be generated, modified, or supplied by untrusted automation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The setup script automatically installs a system package with package managers and elevated privileges, which changes the host beyond the narrow task of producing video proof artifacts. In an agent or CI context this broadens the blast radius of running the skill, because invoking setup can modify the machine state and pull packages from external repositories without explicit user approval at the point of change.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad enough that normal project conversations like 'show me it working' or 'prove it works' could invoke the skill unintentionally. In this skill's context, accidental invocation can lead to starting services, recording app content, making network requests, and producing artifacts without deliberate user approval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill records screens, screenshots, and console logs, and can target local or staging environments that may contain secrets, personal data, admin panels, tokens in URLs, or sensitive debug output. Because the description does not clearly warn about storage and commit of these artifacts, users may inadvertently persist or publish sensitive information in proof-artifacts or PRs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill records browser video, screenshots, and page console output automatically, but provides no consent prompt, redaction controls, or warning that secrets, tokens, personal data, or internal UI content may be captured and written to artifacts. In CI, PR, or agent-driven environments, those artifacts are likely to be stored, shared, or uploaded, turning transient sensitive data exposure into persistent leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs privileged package installation with sudo but only presents it as an automatic fallback, not as a clearly consented system modification. Users may run a setup script expecting local dependency installation and instead trigger OS-level changes, which is risky for developer workstations and especially inappropriate for a skill whose purpose is recording demos.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal