ClawHub

polyv-live-cli

Security checks across malware telemetry and agentic risk

Overview

This skill is an administrative Polyv live-streaming CLI wrapper, but it handles account secrets and exposes broad account-level, destructive, and viewer-data operations without enough scoping or safety guidance.

Install only if you are a trusted Polyv administrator and are comfortable giving the agent live-service admin authority. Do not paste production AppSecret values into chat or command lines; prefer a dedicated low-privilege account, environment/secret-manager injection, and rotate credentials after testing. Review commands before execution, especially deletes, callback changes, whitelist/watch-condition changes, global bans/kicks, and viewer data exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest description focuses on live-channel operations but omits that the skill also supports broad audience governance, account-wide settings, callback URL changes, and moderation actions. This scope understatement can cause operators or higher-level policy systems to approve or invoke the skill with an incomplete understanding of its authority, increasing the chance of unsafe or unauthorized use.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill exposes platform-wide callback URL management, which can redirect event notifications and operational data to attacker-controlled endpoints if misused. Because callback configuration affects the whole account rather than a single live session, this capability is significantly more sensitive than routine live-operations tasks and broadens the blast radius.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to request AppID and AppSecret directly from the user and then use them in commands without any secret-handling safeguards. In an agent/chat context, this can expose credentials in conversation logs, model context, terminal history, or downstream tooling, enabling account compromise.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation presents destructive operations such as channel deletion and batch deletion without requiring confirmation guidance or warning about irreversible effects. In an agent setting, users may trigger these commands accidentally or without understanding the scale of deletion, causing service disruption or data loss.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents global moderation commands and account-level configuration changes without warning that they affect all users or broad service behavior. In context, these commands can silence users, remove access, or alter account-wide functionality far beyond a single stream, so omission of impact cues materially increases misuse risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly demonstrates passing `--appSecret <secret>` on the command line. Secrets supplied as CLI arguments are commonly exposed via shell history, process listings, audit logs, CI job output, and support screenshots, so this example can lead users to leak production credentials even if the tool itself handles them correctly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes force-delete and batch force-delete examples that bypass confirmation prompts, but it does not clearly warn that these are destructive, irreversible operations. In a channel-management CLI, this increases the risk of accidental mass deletion by users or downstream agents following examples blindly, causing service disruption and data/resource loss.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example shows removing a channel password by setting it to an empty value without warning that this weakens access control. Because this skill is specifically for managing live broadcast channels, users may unintentionally expose private or restricted streams to unauthorized viewers if they copy the example without understanding the security consequence.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes a destructive `lottery delete` command with no warning, confirmation guidance, or note about irreversibility. In an agent skill context, this increases the chance that a user or downstream automation invokes deletion casually, causing loss of live-event configuration or records and operational disruption.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The winner-query functionality exposes fields such as Viewer ID, Nickname, Winner Code, and Win Time without any privacy or data-handling warning. In this skill's live-commerce/streaming context, those fields can constitute personal or identifying data, so surfacing them without caution may lead to unnecessary disclosure, logging, or secondary misuse by agents and scripts.

Missing User Warnings

High
Confidence
93% confidence
Finding
The callback update command allows changing the destination URL for platform event notifications, but the documentation does not warn that this can redirect potentially sensitive operational data to an attacker-controlled endpoint. In a live-service admin context, silent misuse of this feature could compromise event integrity, leak metadata, or break downstream automations that rely on trusted callbacks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes a forced deletion example (`-f`) for removing a playback without explicitly warning that the action is irreversible. In an administrative CLI for live-stream assets, normalizing force-delete commands can lead users to accidentally destroy recordings they intended to keep, especially when copied verbatim from docs.

Missing User Warnings

High
Confidence
98% confidence
Finding
The bulk cleanup workflow automates forced deletion of all matching playback records with no safety warning, preview/confirmation checkpoint, or guidance on rollback. In the context of a live-service management skill, this makes mass irreversible data loss much more likely because users may run the loop unchanged against production channels and permanently erase many recordings at once.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to initialize preconfigured live-stream channels and later start streaming, including enabling persistent features like auto-recording, but it does not warn that these actions create or modify real production resources. In an agent skill context, this can lead to unintended channel creation, billing-impacting changes, recording retention, or accidental live broadcasts if the agent follows the documented workflow without explicit user confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly shows how to retrieve and print RTMP push credentials, including a full publish URL, but does not warn that the stream key is effectively a secret that enables unauthorized publishing if exposed. In a streaming-management skill, users are likely to copy commands and outputs into shells, logs, tickets, or scripts, increasing the risk of accidental disclosure and stream hijacking.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The documentation provides direct start/stop broadcast commands without any caution that stopping a live stream is a disruptive, state-changing action affecting viewers and ongoing events. In an operations-oriented CLI, omission of warnings or confirmation guidance can lead to accidental service interruption or premature termination of live broadcasts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation exposes commands for querying viewers by personal data fields such as mobile number, email, and area, and for bulk tag manipulation, but provides no warning about privacy obligations, authorization checks, or the consequences of bulk operations. In a viewer-management context, this can normalize unsafe handling of PII and enable accidental mass modification of audience metadata if operators use the commands without safeguards.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The authentication guidance explicitly suggests passing `--appSecret` on the command line, which can expose credentials through shell history, process listings, CI logs, and terminal recording. Because these are application secrets for a live-service management CLI, disclosure could allow unauthorized access to viewer data and management operations across channels and related resources.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly supports querying and displaying sensitive viewer personal data such as phone numbers, email addresses, addresses, and viewing behavior, but provides no warning about privacy implications, access restrictions, terminal exposure, or safe handling of exported JSON. In a live-platform management skill, this increases the risk of over-collection, casual disclosure to operators, and accidental leakage through logs, screenshots, shell history, or copied output.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples and sample JSON include realistic phone numbers, email addresses, and geographic information, and the output descriptions normalize full display of PII without any caution about visibility in terminals or downstream tooling. This is dangerous because operators may paste, record, export, or share raw outputs containing personal data, causing privacy breaches even without a software exploit.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation provides commands to alter watch-condition settings, including making streams public or disabling conditions, without explicitly warning that these actions change access control for a channel or even global defaults. In an access-management skill, omission of such warnings increases the risk of accidental exposure of paid or restricted streams, or unintended viewer lockout, especially when examples are easy to copy-paste.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation exposes destructive operations such as deleting whitelist entries and clearing all whitelist items, but it does not describe any confirmation prompt, dry-run mode, or explicit warning about the irreversible impact on access control. In a live-stream access-management context, accidental or automated misuse could immediately revoke viewer access or remove protection settings, causing service disruption and unauthorized audience changes.

Ssd 3

Medium
Confidence
97% confidence
Finding
Requesting and using AppSecret directly in chat and CLI commands creates multiple exposure points: chat transcripts, model memory/context, shell history, process listings, logs, and screenshots. Since these credentials grant API access to the live platform account, disclosure can lead to unauthorized channel control, data access, and platform configuration changes.

Ssd 3

Medium
Confidence
98% confidence
Finding
The documented inline use of --appId and --appSecret normalizes passing credentials on the command line, where they are commonly exposed through shell history, process inspection, telemetry, and logs. This is especially dangerous in an agent environment that may render or store the full command text automatically.

Ssd 3

Medium
Confidence
96% confidence
Finding
Listing AppSecret as a normal global option semantically endorses plaintext secret passing as standard practice. In operational environments this increases the likelihood of credential leakage via histories, monitoring systems, debugging output, and copied command snippets, potentially compromising the entire Polyv account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal