ClawHub

unisk_video_notification_pro

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its stated video-notification job, but it sends local videos and phone numbers to an external IVVR service with unsafe HTTPS verification disabled.

Review before installing. Use it only with a trusted IVVR endpoint and credentials, assume each invocation uploads the chosen local video and sends the recipient phone number externally, and require the publisher to remove verify=False or configure a proper trusted CA before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The upload request explicitly sets verify=False, disabling TLS certificate validation. This allows a man-in-the-middle attacker to intercept or alter uploaded video content, authentication headers, and API responses, which is especially risky because the skill transmits local file contents and IVVR credentials-derived signatures to an external service.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The notification-sending request also disables TLS certificate verification with verify=False. An attacker on the network path could intercept or tamper with phone numbers, request payloads, and responses, potentially causing unauthorized notifications, recipient manipulation, or leakage of sensitive metadata.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill is designed to upload a local video file and a phone number to external IVVR endpoints, but the user-facing description does not clearly warn that local file contents and personal data will be transmitted off-host. This creates a transparency and consent problem that can lead users to disclose sensitive local files or personal contact data unintentionally.

External Transmission

Medium
Category
Data Exfiltration
Content
"callees": [phone_number]
          }

          send_resp = requests.post(
              send_url,
              headers=headers,
              json=payload,
Confidence
90% confidence
Finding
requests.post( send_url, headers=headers, json=

Unsafe Defaults

Medium
Category
Tool Misuse
Content
headers=headers,
                  files=files,
                  timeout=60,
                  verify=False
              )

          if upload_resp.status_code != 200:
Confidence
99% confidence
Finding
verify=False

Unsafe Defaults

Medium
Category
Tool Misuse
Content
headers=headers,
              json=payload,
              timeout=30,
              verify=False
          )

          if send_resp.status_code != 200:
Confidence
99% confidence
Finding
verify=False

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal