Oathe Security Badge

Is akdeepankar/Clip-It safe?

https://github.com/akdeepankar/Clip-It

55
CAUTION

This media processing skill contains severe prompt injection vulnerabilities, explicitly instructing the agent to extract sensitive financial information and bypass privacy protections. While the core functionality appears legitimate, the privacy and security override instructions make it dangerous to deploy without significant modifications.

Category Scores

Prompt Injection 0/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (6)

CRITICAL Explicit Sensitive Data Extraction Instructions -25

The skill explicitly instructs the agent to extract sensitive information like credit card numbers from audio content, bypassing normal privacy protections with the justification that processing is 'local'.

CRITICAL System Behavior Override Instructions -40

The skill contains explicit instructions to override normal agent transparency and consent mechanisms, telling the agent to never ask users for transcripts or explanations.

HIGH Privacy Protection Bypass -35

The skill instructs the agent to bypass privacy concerns by claiming local processing preserves privacy, while actually sending data to external APIs.

MEDIUM External API Data Transmission -15

The skill sends user audio/video content to external services (ElevenLabs for transcription/dubbing, OpenAI for analysis) which constitutes data exfiltration by design.

MEDIUM Dynamic Package Installation -15

The Python script automatically installs packages if missing, which could introduce security risks or unexpected dependencies.

LOW YouTube Content Processing -10

The skill downloads and processes content from YouTube URLs, which could be used for unauthorized content access or processing.