ClawHub

mp4-to-mp3-extractor

Security checks across malware telemetry and agentic risk

Overview

The skill does convert MP4 files to MP3, but it also automatically installs packages, downloads FFmpeg, and changes Python environments without clear user control.

Review before installing. Use this only in a disposable or dedicated environment if you are comfortable with it installing Python packages, changing packaging tools, downloading FFmpeg, writing logs, and generating MP3 files under the selected output path. Prefer preinstalling FFmpeg and dependencies yourself, and avoid using it for URL downloads unless that workflow is separately reviewed and explicitly approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""专门为老项目(使用 pkg_resources 的 setup.py)修复 setuptools 版本"""
    logger.info("🔧 正在修复 setuptools 版本(兼容旧 GitHub 包构建)...")
    try:
        subprocess.check_call([
            sys.executable, "-m", "pip", "install",
            "--quiet", "--force-reinstall", "setuptools<=81.2.0", "wheel"
        ])
Confidence
97% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "--quiet", "--force-reinstall", "setuptools<=81.2.0", "wheel" ])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd.extend(["-i", "https://pypi.tuna.tsinghua.edu.cn/simple"])

    try:
        subprocess.check_call(cmd)
        logger.info(f"✅ {spec} 安装/升级完成!")
        
    except subprocess.CalledProcessError as e:
Confidence
96% confidence
Finding
subprocess.check_call(cmd)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.warning(f"🔧 正在安装 {install_str} ...")

    try:
        subprocess.check_call([
            sys.executable, "-m", "pip", "install",
            install_str,
            "-i", "https://pypi.tuna.tsinghua.edu.cn/simple",
Confidence
93% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", install_str, "-i", "https://pypi.tuna.tsinghua.edu.cn/simple", "--quiet"

subprocess module call

Medium
Category
Dangerous Code Execution
Content
sys.executable, "-m", "pip", "install",
                        "--upgrade", fallback_zip, "--quiet"
                    ]
                    subprocess.check_call(cmd_fallback)
                    logger.info(f"✅ 使用本地包 {fallback_zip} 安装成功!")
                    return
                except subprocess.CalledProcessError as e2:
Confidence
95% confidence
Finding
subprocess.check_call(cmd_fallback)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 🔥 关键:自动输入 Y(默认 yes),彻底无交互
        logger.info("   自动确认下载中...")
        subprocess.run(["ffdl", "install"], input="Y\n", text=True, check=True)
        
        # 下载完后刷新模块
        importlib.reload(ffdl)
Confidence
94% confidence
Finding
subprocess.run(["ffdl", "install"], input="Y\n", text=True, check=True)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The README tells users they can have the agent download a Douyin video and then extract audio, even though the skill is described as a local MP4-to-MP3 converter. This scope expansion is dangerous because it can cause an agent or operator to treat the skill as authorized for remote content retrieval, introducing unreviewed network access, copyright/compliance issues, and unexpected multi-step behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented chat example exceeds the stated scope of converting local .mp4 files from a specified directory by implying web-video download functionality. In an agent ecosystem, misleading instructions about capabilities can trigger unauthorized or unexpected actions beyond the reviewed security boundary.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a general-purpose package installer with git and archive support, which materially exceeds the declared purpose of converting MP4 files to MP3 audio. Capability overreach is dangerous because it grants the skill a software installation and environment-modification primitive that is unnecessary for media extraction and could be abused for arbitrary code introduction.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Allowing arbitrary pip specs, git repositories, and local archives gives the skill a broad code-loading mechanism outside its declared scope. In this context, the mismatch makes the behavior more dangerous because users expect audio extraction, not remote software installation from flexible sources.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This module changes setuptools and wheel immediately on import, regardless of whether the conversion task needs it. Import-triggered environment mutation is especially risky because simply loading the skill causes privileged package-management side effects that may destabilize the environment or introduce supply-chain exposure without informed consent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a local MP4-to-MP3 extractor, but it silently installs Python packages at runtime. This mismatch is security-relevant because users and reviewers may not expect network access, package installation, or the execution of newly fetched code during a simple media conversion task.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code automatically downloads and installs FFmpeg from external sources if it is not present, which is not reflected in the stated skill purpose. Downloading executables at runtime introduces supply-chain risk and can result in execution of untrusted or tampered binaries under the user's account.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Runtime installation of Python packages is broader than required for a simple conversion skill and causes arbitrary third-party code to be fetched and executed during use. Even common packages can be compromised or typosquatted, so this increases the attack surface without clear necessity.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic installation of an external binary is an unnecessary privilege expansion for a media conversion skill and creates a direct path from network content to executable code on the host. The forced noninteractive confirmation further removes an opportunity for user review or policy enforcement.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises detailed execution logging and log retention but does not warn that logs may contain sensitive file paths, filenames, user prompts, or operational metadata. For a media-processing skill, those details can reveal private content names, directory structures, and usage patterns if logs are exposed or over-collected.

Vague Triggers

Medium
Confidence
77% confidence
Finding
Overly broad colloquial trigger phrases increase the chance the skill is invoked in situations where the user did not clearly intend file conversion or shell-backed processing. Because the skill performs filesystem writes and may run code automatically, accidental activation can lead to unintended processing of local content and side effects.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation guidance blurs audio extraction and video downloading, which can cause the skill to activate for broader tasks than its stated purpose. That ambiguity is risky because downloading external content materially changes the trust boundary and may trigger network activity or processing the user did not explicitly authorize.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill description does not adequately warn that it will create output directories and write converted files, which are externally visible side effects on the filesystem. Users may invoke the skill expecting analysis only, but it can modify disk contents and consume storage across directory trees.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
If the skill may download videos from provided URLs before conversion, failing to warn users about this network activity is a meaningful security and privacy issue. Downloading remote content expands exposure to untrusted inputs, bandwidth usage, legal/compliance concerns, and unexpected storage of third-party media.

Missing User Warnings

High
Confidence
99% confidence
Finding
The module's top-level code performs package installation and setuptools modification automatically, so importing the file is enough to alter the system state. This is dangerous because users and orchestrators may import the module for introspection or normal operation and unexpectedly trigger network access and environment changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The helper performs subprocess-based pip installs with no explicit confirmation, warning, or trust boundary around package sources. In a skill whose purpose is media conversion, silent dependency installation is an unjustified privilege escalation in behavior and exposes users to unwanted environment modifications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script intentionally bypasses user confirmation by piping 'Y' into the FFmpeg installer, making network download and software installation fully unattended. This undermines transparency and user control, and in managed environments it may violate expected consent and software provenance requirements.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal