ClawHub

video-edit-strategy

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only video planning skill that may inspect user-provided media metadata but does not include hidden code, persistence, credential access, or destructive behavior.

Install this if you want an agent to create detailed video-editing plans from media you provide. Review any generated file paths and execution_plan steps before allowing ffprobe, ffmpeg-cli, ffmpeg-video-editor, or video-frames to run, especially if paths point outside your intended media folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill claims it only produces a strategy, but its workflow instructs the agent to run `ffprobe` on user-provided files. This is a real capability expansion from planning into local command execution, which can expose filesystem metadata, create unsafe trust boundaries, and cause downstream agents to treat this skill as safe-to-run when it is not purely declarative.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The metadata and description present the skill as a JSON strategy generator, but the body instructs it to execute a local shell-based media inspection command. This mismatch is dangerous because orchestrators, reviewers, or policy systems may grant it broader trust than intended, enabling command execution against arbitrary user-supplied paths under the guise of harmless planning.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
A planning-oriented skill is being given shell execution behavior (`ffprobe`) despite its stated role being strategy generation. In this context, the danger is not just the specific command but the broken capability boundary: a higher-level planning skill can become a covert executor of local operations on attacker-controlled file paths or sensitive locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal