ClawHub
Back to skill

Security audit

AI Video Translation

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward video-translation CLI skill, but users should understand that it installs an external npm tool, uploads media to a third-party API, and stores a temporary local token.

Install only if you trust the `newtranx-ai` npm package and the newtranx service. Do not upload confidential, regulated, or personal videos unless the provider's privacy and retention practices are acceptable, and avoid using the stored token on shared machines unless you can protect or remove it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to log in and states that an authentication token is saved locally in a home-directory config path for 15 days, but it provides no warning about credential persistence, file permissions, or multi-user system exposure. On shared machines or poorly secured environments, a locally stored bearer token may be copied and reused to access the user's account or API usage until expiry.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages uploading local video files or remote video URLs to an external API but does not warn users that media content, subtitles, speaker data, and metadata may be transferred to and processed by a third party. Because the tool explicitly handles potentially sensitive audiovisual content and speaker recognition metadata, omission of a privacy and data-transfer warning increases the risk of inadvertent disclosure of confidential or personal data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal