ClawHub

Vlog Auto Edit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent travel-vlog editing skill, but users should understand that selected video frames may be sent to a chosen vision API.

Install only if you are comfortable letting the agent read your footage folder, generate local transcripts/thumbnails/dashboards, install the listed media packages, and send selected frames to your chosen vision API. Use a limited API key, review the provider's retention policy, avoid sensitive footage unless approved, and review the dashboard before final rendering or sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The optional reference-analysis step expands the skill from editing user-provided footage into downloading third-party content from external platforms. That broadens the attack and compliance surface, introducing network activity and acquisition of unrelated content not necessary for the core editing task.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The workflow requires uploading extracted local video frames to an external vision API, which is a real data-exfiltration channel for potentially sensitive personal media. The manifest description does not make this external transmission explicit, so users may not realize their footage leaves the local environment.

Context-Inappropriate Capability

Low
Confidence
72% confidence
Finding
The script automatically opens the generated dashboard in the user's default browser on macOS without explicit consent. Because the HTML embeds untrusted analysis and plan data into a script block, auto-opening increases the chance that any HTML/JS injection in the generated dashboard is immediately triggered in a browser context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to use a third-party visual understanding API to analyze video footage and supply an API key, but it does not clearly disclose that frames or clips may be transmitted off-device to external providers. For a workflow centered on personal travel videos, this can expose sensitive imagery, voices, locations, and metadata, creating a real privacy and data-handling risk if users assume processing is local.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents sending locally extracted frames to a vision API but does not provide a clear privacy warning or explicit consent requirement. Because the content is personal video footage, missing disclosure materially increases the risk of unintended exposure of sensitive images and context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal