ClawHub

视频自动剪辑助手

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local video-editing skill, with normal file and FFmpeg risks users should manage deliberately.

Install only if you are comfortable running local FFmpeg-based scripts on media files you select. Use a dedicated output folder, avoid output names that already matter because FFmpeg overwrite mode is used, and verify optional ASR tools before using them with private recordings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises and demonstrates shell execution plus file read/write behavior through local scripts and FFmpeg, but the markdown does not declare permissions or operational boundaries. In an agent setting, undeclared shell and filesystem capabilities can cause users or orchestrators to invoke the skill with more trust than warranted, increasing the chance of unintended file access, overwrites, or command execution.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation guidance is broad enough that the skill could be selected for many loosely related media tasks without clear limits. Overly broad trigger criteria increase the chance the agent invokes shell-backed video processing on sensitive files or in situations where the user did not intend local processing or export operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The subtitle workflow notes ASR providers including Whisper and FunClip but does not warn that audio or video content may be transmitted to an external service depending on configuration. This creates a real privacy and data-handling risk, especially for meetings, internal recordings, or personal media that may contain sensitive spoken content.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal