ClawHub

Video Sourcing

Security checks across malware telemetry and agentic risk

Overview

This video research skill is clearly related to its purpose, but it deserves review because it can download and run external code on the host with API-key access.

Install only if you trust the external video-sourcing runtime and are comfortable with first-use network bootstrapping on the host. Prefer invoking /video_sourcing explicitly, use restricted API keys, monitor quota usage, and review the external repository before granting it access to your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script self-bootstraps by cloning code from GitHub and installing dependencies at runtime, which materially expands the trust boundary beyond a simple deterministic wrapper. Even though the repo URL and tag are pinned, this still executes remotely sourced code and package installation logic during skill use, creating supply-chain and reproducibility risk inconsistent with the stated wrapper behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill auto-activates on a broad class of free-form requests related to video analysis, which can cause unintended execution of a host-runtime workflow without explicit user invocation. Because this skill runs with sandbox mode off and may bootstrap and execute external tooling, ambiguous triggering increases the chance of surprising code execution and misuse from ordinary conversational input.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal