ClawHub

RoughCut

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local video-editing workflow, but users should understand the optional URL download and Gemini-based fluff removal before using those features.

Install only if you trust the RoughCut repository configured as repo_root. Prefer local video files when possible; if using --video-url, use trusted HTTPS links and consider --video-sha256 for verification. Keep fluff removal disabled for sensitive recordings unless you are comfortable using Gemini for that analysis and understand that derived video content may leave the local machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly invites the user to provide a direct HTTPS URL and states the runner will download the video onto the local machine, but it does not clearly warn about the trust boundary change or the risks of fetching remote content. This can lead users to cause the agent to retrieve untrusted data onto the host, potentially exposing local storage, triggering processing of malicious media, or causing unexpected network access/costs.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill requests a GEMINI_API_KEY for fluff removal but does not disclose that enabling this feature may send video-derived transcripts, summaries, or other content to an external AI service. In a local-first media workflow, this omission is especially risky because users may reasonably assume no cloud exposure, leading to inadvertent disclosure of sensitive or proprietary spoken content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal