ClawHub

Video Rough Cut

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local video rough-cut helper; the main caution is that the selected video is uploaded to a configurable API endpoint that defaults to localhost.

Install only if you intend to process selected videos through B-Roll Studio. Keep the base URL on localhost unless you deliberately trust another endpoint, and remember that the selected video and its audio/transcript content may be handled by that configured service and a rough-cut output may be written back to disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to read a local video file and make HTTP requests to a localhost service, but the skill metadata declares no permissions. That mismatch is a real security issue because it hides the actual capability surface from the permission model and from reviewers, making unintended file access and local service interaction easier to approve or invoke without proper scrutiny.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uploads the entire local video file to an API endpoint whose default base URL is plain HTTP, and it provides no explicit warning or confirmation that media content will be transmitted over the network. Even though the default host is localhost, the user can supply a different base URL, and plaintext transport can expose potentially sensitive video/audio content to interception or unintended remote services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal