ClawHub

Libtv Cli

Security checks across malware telemetry and agentic risk

Overview

This is a coherent LibTV command-line documentation and installer skill, but users should treat its installer and saved login credentials with normal caution.

Install only if you trust the LibTV distribution host and account workflow. Prefer running the bundled installer from the skill directory over piping a remote PowerShell script into execution, and use the documented skip-profile options if you do not want PATH changes. Treat ~/.libtv/credentials.json as a sensitive session credential, avoid syncing or committing it, and review files and prompts before upload or generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The document instructs users to download a PowerShell script from the network and immediately execute it via Invoke-Expression. This creates a classic remote code execution trust boundary failure: if the hosting endpoint, CDN, DNS, TLS termination, or published script is compromised, users will execute arbitrary code with their own privileges without inspection.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The installer performs persistent system changes by overwriting the target binary and appending to the user's shell profile without an explicit confirmation gate at execution time. Even though the file header documents this behavior, unattended or copy-pasted execution can still modify login-shell behavior in ways the user may not immediately expect.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script can fetch and install artifacts from a remote host automatically when local files are absent, and the network transfer is only disclosed at the moment of download. For an installer that executes downloaded content, lack of a prior confirmation or integrity-verification prompt increases supply-chain and user-surprise risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The markdown explicitly recommends piping a remotely fetched PowerShell script into execution without any warning, integrity verification, or constrained execution model. Even if intended for convenience, this normalizes unsafe installation behavior and materially increases supply-chain and man-in-the-middle style execution risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal