ClawHub

Byted Kickart Video Subtitler

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform real video-subtitling work, but it also asks for sensitive cloud credentials in chat, logs authorization data, uploads user media to remote services, and performs account/package actions with weak disclosure.

Install only if you are comfortable sending videos, captions, and generated outputs to Bytedance/Volcengine/Kickart services and using cloud credentials with this skill. Do not paste long-lived AK/SK secrets into chat; prefer a scoped token or isolated credentials, review any update install_command before accepting it, and assume local logs may contain sensitive request data unless the skill is fixed to redact secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (25)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Although presented as a local video subtitling skill, the workflow accepts arbitrary public URLs and fetches remote content with curl. Allowing arbitrary URL retrieval expands the attack surface and can be abused to access untrusted resources, trigger unexpected downloads, or process content the user did not originally intend to handle locally.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to ask users to paste ACCESS_KEY_ID and SECRET_ACCESS_KEY into chat and then export them for later use. Requesting long-lived cloud credentials through chat is highly dangerous because it exposes secrets to logging, transcript retention, accidental disclosure, and misuse beyond the immediate subtitling task.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The skill presents itself as producing a subtitled video file, but the documented output is actually a JSON result containing a remote video URL. While less severe than direct credential issues, this discrepancy can mislead users about where their output resides and whether media remains local or is stored on a third-party platform.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The module hard-codes shared storage and log directories under a different skill namespace ('byted-kickart-viral-replicator') even though this skill is for video subtitling. That creates a realistic risk of cross-skill data mixing, log leakage, accidental overwrite, and unauthorized access to artifacts produced by another skill if both run on the same host or workspace. In this context, a media-processing skill may handle user-provided videos and derived subtitle outputs, so namespace confusion makes the issue more dangerous because sensitive user content could be exposed across skills.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The post() method accepts an arbitrary action string and forwards caller-supplied bytes directly to the remote client, creating a generic remote procedure invocation primitive. In a subtitle skill, this unnecessarily broad capability can be abused to invoke unrelated backend operations, expanding the attack surface and potentially enabling unauthorized actions if higher layers pass untrusted input.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code enumerates IAM users via ListUsers and preferentially selects an admin account ID, even though this is a video subtitling skill rather than an IAM-management tool. In this context, discovering and reusing an admin identity expands privilege scope unnecessarily and can enable uploads or media operations to run under a higher-privileged owner than required.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This module implements general-purpose remote media upload and persistence capabilities that go beyond a narrowly scoped subtitle-embedding skill. In the context of an agent skill, that broader capability increases the chance of unexpected exfiltration or misuse of user-provided media, especially because the file stores uploaded media metadata locally and exposes reusable upload abstractions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The KickartUploader supports URL-based media creation by sending a user-supplied URL to an external service, which is outside the stated purpose of a video-subtitling skill. This can enable unauthorized fetching or transfer of third-party resources, and if the upstream service resolves arbitrary URLs, it may facilitate SSRF-like access paths or unintended ingestion of sensitive internal resources.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This code implements a general-purpose remote file downloader that can fetch arbitrary URLs and write the results to disk, which is broader than a video subtitling skill's declared purpose. In an agent context, this creates SSRF and arbitrary content retrieval risk if user-controlled URLs are accepted, and it also expands the skill's capability surface beyond what users would reasonably expect.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file’s behavior is unrelated to the declared video-subtitling purpose: it instantiates an ICCP service and calls RegisterArkClawCombo instead of processing video or subtitle inputs. In a skill ecosystem, this kind of hidden capability is dangerous because it can trigger unauthorized account/package actions under the guise of a benign media task, indicating deceptive functionality.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code performs account/package registration capability that is not necessary for a video subtitling skill. This creates a hidden side effect where invoking a media-processing skill may alter user entitlements or register services remotely, violating user expectations and potentially abusing credentials or backend trust.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The inline documentation explicitly states that the command queries/registers a free Ark Claw package, directly contradicting the declared subtitling intent. This mismatch is a strong indicator of deceptive packaging and increases the likelihood that users or reviewers will be misled into running unrelated network-affecting code.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s stated purpose is subtitle addition, but it also uploads the processed video artifact to Kickart SaaS. This creates an undisclosed data egress path for potentially sensitive user media and exceeds the minimally expected behavior for a subtitling tool.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
Although described as a local video subtitle tool, the script actually works from a remote media ID and fetches media details through backend services. This mismatch can mislead users about where their content is processed and what systems receive their data.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill asks users to paste ACCESS_KEY_ID/SECRET_ACCESS_KEY directly into chat without any secure handling guidance or warning. This creates a direct secret-exposure path through conversation history and increases the risk of credential theft, replay, and unauthorized access to the user's cloud account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill asks for a local file path or public URL and then uploads the video to an external service without an upfront privacy or data-transfer warning. Because videos may contain personal, proprietary, or regulated content, silent remote upload creates a meaningful confidentiality and compliance risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The client logs full request headers and body before sending the request, which includes Authorization credentials and potentially sensitive subtitle or video-derived content. It also logs full response headers and body, which can expose tokens, identifiers, or returned sensitive data to anyone with log access, turning ordinary operational logs into a credential and data leakage channel.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The request path logs full headers, which include Authorization credentials, along with full request and response bodies. This can leak API tokens, signed headers, user media metadata, and backend responses into logs, turning routine observability into a credential and data exposure channel.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Muse uploader transmits local file content and associated metadata to an external service without any visible user-facing disclosure or consent handling in this file. For a subtitling skill, users may expect local processing; silent remote transfer creates a privacy and data-handling risk, especially for personal or confidential videos.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The URL-based media creation path sends user-supplied remote resource information to an external service with no visible disclosure or guardrails in this file. In a subtitle tool, this is especially risky because it expands processing from user-owned files to arbitrary network resources, increasing privacy, compliance, and potential network abuse concerns.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The network registration call is executed immediately with no user-facing warning, consent, or confirmation step. Even if the backend action were legitimate, silently registering a package from a skill invocation can cause unauthorized state changes and makes abuse harder for users to detect or prevent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script submits video URL, duration, aspect ratio, and caption content to a remote ICCP service without any user-facing notice or confirmation. For user media, captions may contain sensitive or proprietary information, so silent transmission creates privacy and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The generated video is uploaded to a SaaS platform automatically after processing, with no explicit warning or consent step. This is dangerous because the output video may still contain sensitive source content, and automatic upload broadens exposure beyond the stated subtitling task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uploads a user-supplied local video file via `media_service.add_media(...)` after only printing a generic status message, without any explicit consent, destination disclosure, or privacy warning. Because videos commonly contain sensitive visual, audio, metadata, or personal information, silent transfer to a remote media service creates a real confidentiality and user-expectation risk in the skill context.

Ssd 3

High
Confidence
99% confidence
Finding
The skill not only asks for AK/SK secrets in chat but also instructs the agent to persist them in environment variables for reuse in subsequent commands. Reusing user-supplied cloud credentials in an automated workflow materially increases the blast radius if the session, logs, or execution environment are compromised.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal