ClawHub

Xeonen Video Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it downloads a user-provided video, creates local transcripts/screenshots, and offers a user-directed summarization helper.

Install only if you are comfortable with downloaded media, transcripts, subtitles, and screenshots being stored locally. Use a dedicated output directory, clean it up after analysis, and do not paste or pipe transcripts into an external AI tool unless you have permission to process that content and understand where it will go.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly downloads videos, extracts audio, generates transcripts, and stores screenshots under a local outputs directory, but it does not warn users about privacy, copyright, retention, or handling of potentially sensitive data contained in recordings. In this context, users may process meeting recordings, podcasts, tutorials, or due-diligence videos that can contain personal, confidential, or proprietary information, creating avoidable data exposure and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script reads up to 50,000 bytes from a transcript and formats it for submission to an external AI tool, but provides no warning that the transcript may contain sensitive or proprietary content. In a video-watcher skill, transcripts may include private meetings, internal training, or copyrighted material, so encouraging paste/send workflows without disclosure or consent creates a real data-leakage risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal