ClawHub

video-analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate video analyzer, but it publishes full analysis content to Feishu by default and changes the local Python environment, so users should review it before installing.

Install only if you are comfortable with the skill downloading media, sending transcripts to configured LLM providers, saving transcripts and screenshots locally, installing Python packages automatically, and publishing full analysis content to Feishu by default. Disable Feishu publishing before analyzing private, confidential, regulated, or proprietary videos.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (22)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def install_package(package: str) -> bool:
        """Install a Python package."""
        try:
            result = subprocess.run(
                [sys.executable, "-m", "pip", "install", package],
                capture_output=True,
                text=True,
Confidence
92% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", package], capture_output=True, text=True, )

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill’s documented purpose is video analysis, but it also mandates publishing results to Feishu and resolving workspace targets from parameters, environment variables, and config. This expands the trust boundary from local analysis to external content publication, which can leak transcripts, summaries, or sensitive video-derived content without being justified as core functionality.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Remote publishing to Feishu is enabled by default via `publish_to_feishu=True`, which can cause transcripts, summaries, evaluations, and source URLs to be sent to an external service without explicit user opt-in at construction time. In a skill that processes potentially sensitive audio/video content, default-on exfiltration to a third-party platform materially increases confidentiality risk.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The CLI description says the tool analyzes videos and generates outputs, but it omits that content may also be published to Feishu by default. This is dangerous because users can reasonably assume the tool is local-only and may unintentionally exfiltrate transcripts, summaries, or other potentially sensitive video-derived content to an external service.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The help text frames Feishu publishing as something the user can choose to do, while the implementation sets publish_to_feishu=True by default. Misleading security-relevant help text can cause users to disclose generated content to Feishu without informed consent, especially when processing private or internal videos.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents `publish_to_feishu=True` as the default and shows example outputs containing a published Feishu document, but it does not prominently warn users that transcripts, summaries, and related metadata may be automatically uploaded to a third-party service. In a video analysis skill, this increases the risk of unintended disclosure of private, copyrighted, or sensitive content, especially when users analyze local files or non-public videos.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README mentions file output and screenshots as features, but does not clearly warn that transcripts, summaries, and screenshots are written to local storage by default. For a tool handling local videos and remote URLs, this can leave sensitive content cached on disk unexpectedly, creating privacy and data-retention risks on shared or managed systems.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill performs video download and writes analysis artifacts, but the documentation does not prominently warn that it fetches remote content and creates local files. Users may unknowingly trigger network activity, storage use, and retention of potentially sensitive media-derived data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The configuration section directs users to provide API keys and send content to external LLM providers, but it does not clearly warn that transcripts and analysis inputs may leave the local environment. In a video-analysis context, this can expose copyrighted, private, or regulated content to third-party services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Feishu publishing instructions explicitly direct the tool to upload the full merged markdown body, including summary, evaluation, and transcript, without an explicit user-facing warning or consent step. This creates a meaningful risk of unauthorized external disclosure of sensitive or proprietary video content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code writes full transcripts and generated analyses to disk automatically, potentially persisting sensitive spoken content, URLs, and derived summaries without clear user notice in this code path. Silent local persistence increases the risk of unintended data retention, later disclosure to other local users/processes, and forensic recovery of private content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code publishes assembled markdown containing transcript, summary, evaluation, title, URL, and timestamps to Feishu over the network, but there is no user-facing warning or confirmation here before transmission. Because the content may include sensitive or proprietary media-derived text, silent outbound publication creates a meaningful data exfiltration risk beyond local-only processing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function installs missing packages automatically via pip without explicit user confirmation before changing the environment. In an agent skill context, that behavior is more dangerous because running the skill can silently pull and execute third-party package installation logic, increasing supply-chain and operational risk.

Missing User Warnings

High
Confidence
96% confidence
Finding
Before inserting new content, the code unconditionally enumerates document blocks and batch-deletes all existing top-level blocks in the target document. If the target document or parent is misconfigured, reused, or attacker-influenced, this can irreversibly destroy existing content without confirmation, backup, or a safer append/replace strategy.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The CLI enables publishing generated content to Feishu by default without an execution-time warning or explicit user opt-in. In a video analysis skill, outputs commonly include transcripts and summaries of potentially confidential material, so silent default publication increases the risk of unintended external disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill enables publishing analysis output to Feishu by default, but the user-facing description does not clearly warn that transcripts, summaries, and evaluations may be sent to an external collaboration platform. This creates a meaningful risk of unintended disclosure of sensitive video content, especially when users analyze private URLs or local media files and do not realize publication is opt-out rather than opt-in.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The code unconditionally converts all transcription output to Simplified Chinese before returning it, which alters user data without consent and can silently corrupt meaning, names, quotes, legal text, or evidentiary transcripts. In a transcription skill, preserving fidelity to the source output is a core security and integrity property, so forced normalization is a real output-integrity vulnerability rather than a cosmetic issue.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The timestamped transcription path also rewrites each segment's text into Simplified Chinese, meaning segment-level output no longer faithfully reflects what the model produced. This is especially risky for downstream uses like subtitles, audits, moderation review, legal/compliance workflows, or alignment with source audio, where silent text transformation can cause misinterpretation and loss of provenance.

Ssd 1

Medium
Confidence
96% confidence
Finding
Untrusted transcript text is inserted directly into the prompt template with no delimiter strategy, role separation, or explicit instruction telling the model to treat transcript content as data only. A malicious transcript can contain natural-language prompt injection that changes summarization behavior, causes policy bypass in downstream tasks, or manipulates structured outputs consumed by the application.

Ssd 1

Medium
Confidence
97% confidence
Finding
The summary-generation path embeds raw transcript content into style-specific prompts, allowing an attacker to plant instructions inside the transcript such as 'ignore prior instructions' or 'output secrets/config.' Even if the model cannot access secrets directly, this can reliably degrade integrity of summaries, produce policy-violating output, or interfere with any automated pipeline that trusts the summary text.

Ssd 1

Medium
Confidence
98% confidence
Finding
Timestamped transcript entries are serialized verbatim into a prompt used to generate structured key-node output, creating a strong prompt-injection path against a workflow that expects machine-readable JSON. An attacker can bias which timestamps are selected, cause malformed or misleading JSON, or manipulate downstream screenshot extraction and any later automation that trusts these nodes.

Unvalidated Output Injection

High
Category
Output Handling
Content
]

        try:
            result = subprocess.run(
                cmd,
                capture_output=True,
                check=True,
Confidence
84% confidence
Finding
subprocess.run( cmd, capture_output

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal