ClawHub

u2-downloader

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple wrapper for a disclosed third-party YouTube downloader API, with privacy and API-key handling risks users should understand before use.

Install only if you trust u2foru.site with your requested YouTube URLs and account/API key. Treat the key as a paid credential, rotate or revoke it if exposed, avoid sensitive or private video URLs, and confirm you have rights to download the content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill asks users to obtain an API key from a third-party site and use the service, but it does not clearly warn that both the user's YouTube URLs and bearer token will be transmitted to that external domain. This creates a real transparency and privacy issue because users may not realize their inputs and credentials are leaving the local agent environment and being handled by an untrusted third party.

External Transmission

Medium
Category
Data Exfiltration
Content
BASE_URL = "https://u2foru.site"

# Download
resp = requests.post(
    f"{BASE_URL}/api/v1/skill/download",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={"youtube_url": "https://youtube.com/watch?v=dQw4w9WgXcQ", "resolution": "720"}
Confidence
95% confidence
Finding
requests.post( f"{BASE_URL}/api/v1/skill/download", headers={"Authorization": f"Bearer {API_KEY}"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Download a video
curl -X POST https://u2foru.site/api/v1/skill/download \
  -H "Authorization: Bearer sk-yt-xxxxx" \
  -H "Content-Type: application/json" \
  -d '{"youtube_url": "https://youtube.com/watch?v=dQw4w9WgXcQ", "resolution": "720"}'
Confidence
95% confidence
Finding
curl -X POST https://u2foru.site/api/v1/skill/download \ -H "Authorization: Bearer sk-yt-xxxxx" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal