ClawHub

short-video-content-replicator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed short-video download and transcription workflow, but users should be careful because it creates files and depends on other media-processing skills.

Install only if you intend to run a local short-video processing pipeline. Use a specific output directory, avoid pointing it at broad private folders, confirm that the referenced companion skills are trusted and installed, and consider copyright/privacy implications before downloading or processing third-party videos.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example trigger phrases are broad and overlap with ordinary user requests like converting or processing a short video, which can cause the skill to activate when the user did not explicitly intend this workflow. Because the skill performs multi-step actions including downloading remote content and writing files, accidental invocation can lead to unintended network access, local processing, and data creation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation guidance does not clearly define when the skill should or should not activate, especially given natural-language examples that resemble common chat requests. In an agent environment, unclear activation scope increases the chance of unintended execution of a workflow that downloads content, processes media, and writes outputs to disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description advertises downloading videos, extracting audio, and writing multiple output artifacts to directories, but does not prominently warn users about network access, storage usage, overwriting risk, or handling of third-party content. That omission is dangerous because users may unknowingly authorize actions that affect their filesystem and may implicate privacy, copyright, or operational concerns.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match common requests such as converting a video to text or 'one-click' processing, which can cause the skill to activate in contexts the user did not intend. In this skill, accidental activation is more sensitive because it can download remote content and launch a multi-step processing pipeline that writes files and invokes several subordinate tools.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation logic is intent-based and vague ('one-click', 'end-to-end', 'copy content', 'transcribe'), so the agent may over-trigger on ordinary media-processing requests without a precise match. Given that this workflow can start from multiple artifact types and chain six automated steps, ambiguous activation increases the risk of unintended downloads, processing of sensitive local files, or excessive resource usage.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal