ClawHub

subtitles

Security checks across malware telemetry and agentic risk

Overview

The skill’s subtitle function is coherent, but its setup gives the agent broad authority to create an external account and persist API credentials for future sessions.

Install only if you trust TranscriptAPI and are comfortable letting an agent handle account setup and store a long-lived API key. Before setup, ask where the key will be stored, prefer a platform secret store over shell profiles, avoid private or sensitive YouTube links unless you trust the provider, and know how to revoke or delete the key later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill’s declared purpose is fetching YouTube subtitles, but this file expands behavior into third-party account creation, OTP handling, and persistent credential setup for TranscriptAPI. That materially broadens the agent’s authority and creates a path for collecting, generating, and storing secrets unrelated to the minimally necessary subtitle task, increasing the risk of unauthorized account actions and secret exposure.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The instructions explicitly direct the agent to determine how to persist TRANSCRIPT_API_KEY across future sessions and non-interactive shells. Persisting a long-lived API secret at the system or shell level exceeds what is needed for a subtitle retrieval skill and increases blast radius if the host, shell config, or agent environment is later accessed by other processes or users.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section directs the agent to register external accounts, receive user email addresses, trigger OTP delivery, collect verification codes, and exchange them for API keys. That workflow is outside the stated function of subtitle retrieval and grants the agent the ability to create and control third-party service access on the user’s behalf, which is a risky capability expansion.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly sends user-supplied YouTube video URLs/IDs and may request metadata from a third-party service, but it does not clearly disclose this external transmission in a user-facing privacy notice or require confirmation before sending potentially sensitive links. While a YouTube URL is often low sensitivity, links can still reveal private/unlisted content, user interests, or workflow context, and `send_metadata=true` increases the amount of shared data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file tells the agent to store a sensitive API key persistently and ensure future-session availability, but it does not require a clear warning, informed consent, retention limits, or disclosure of where the secret will be stored. In skill context, this is more dangerous because subtitle fetching does not inherently require long-term local secret persistence, so users may not expect durable storage of credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal