ClawHub

Video Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised video download, transcription, frame extraction, and optional transcript summarization workflow, with privacy and prompt-handling cautions for generated transcripts.

Use a dedicated output folder, expect media and transcript files to remain there until deleted, and avoid processing confidential videos unless local storage is acceptable. Do not paste or pipe sensitive transcripts into an external AI tool unless you intend to share that content, and ignore any instructions that appear inside a transcript.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill explicitly downloads videos and stores derived artifacts such as audio, transcripts, subtitles, and frames on local disk, but it does not warn users that these outputs may contain sensitive or copyrighted content. In environments handling private meetings, due-diligence materials, or internal recordings, this can lead to unintentional retention, secondary exposure, or mishandling of sensitive data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads transcript content and formats it for direct submission to an external AI tool, but provides no warning, consent step, redaction guidance, or boundary on sensitive data exposure. Because transcripts may contain proprietary, personal, or confidential information, this creates a real data disclosure risk if users follow the suggested workflow and paste or pipe the content to a third-party service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal