ClawHub
Back to skill

Security audit

Grabgrab

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward video/audio downloader that sends a user-provided media URL to GrabGrab and saves the returned file, with no hidden persistence or unrelated behavior found.

Install only if you are comfortable sending media URLs to GrabGrab for processing. Avoid using private, internal, expiring, or token-bearing URLs unless you intend to share them with that service, and choose a safe download directory and filename when saving returned files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to send a user-supplied URL to the third-party service grabgrab.fun, but the skill description and workflow do not warn the user that their input will be transmitted externally. This creates a privacy and consent issue because URLs may contain sensitive query parameters, private links, or identifying information that the user may not expect to be shared with an outside service.

External Transmission

Medium
Category
Data Exfiltration
Content
Use `curl` via the Bash tool to call the API:

```bash
curl -s -X POST "https://www.grabgrab.fun/api/download" \
  -H "Content-Type: application/json" \
  -d '{"url": "<VIDEO_URL>", "videoQuality": "<QUALITY>"}'
```
Confidence
93% confidence
Finding
curl -s -X POST "https://www.grabgrab.fun/api/download" \ -H "Content-Type: application/json" \ -d '{"url": "<VIDEO_URL>", "videoQuality": "<QUALITY>"}' ``` **Video quality options** (ask user if

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.