ClawHub

video-audio-replace

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised video dubbing workflow, with normal privacy and overwrite cautions for cloud TTS and media files.

Use this only with media and subtitles you are allowed to process. Choose a fresh output filename, use a dedicated revocable ElevenLabs key if needed, avoid cloud TTS for confidential transcripts unless the provider terms are acceptable, and prefer installing dependencies in a virtual environment rather than system-wide privileged pip installs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for file in files:
            f.write(f"file '{file}'\n")

    subprocess.run([
        "ffmpeg", "-y", "-f", "concat", "-safe", "0", "-i", concat_list,
        "-c", "copy", output_file
    ], capture_output=True)
Confidence
89% confidence
Finding
subprocess.run([ "ffmpeg", "-y", "-f", "concat", "-safe", "0", "-i", concat_list, "-c", "copy", output_file ], capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs users to use environment variables, local file I/O, shell commands, and network-backed services, yet it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or platforms cannot accurately assess what the skill will access or whether external services and local system tools are involved.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends ElevenLabs but does not clearly disclose that subtitle text and potentially derived voice content are transmitted to an external TTS provider. If subtitles contain sensitive, proprietary, or personal data, users may unknowingly exfiltrate that content to a third party, creating privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Subtitle text is transmitted to a third-party TTS provider, which can expose sensitive or regulated content from videos without a clear user-facing disclosure. In a media-processing skill, users may reasonably assume local handling unless remote transfer is made explicit.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal