ClawHub

Doubao Image Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a Doubao/Volcengine media-generation helper whose API-key use and optional video download are disclosed and fit its purpose.

Install only if you are comfortable providing a Volcengine Ark API key and sending generation prompts or referenced image URLs to that service. Use a limited or dedicated API key if possible, monitor provider usage costs, and save downloads to an intentional workspace path to avoid overwriting important files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The helper will fetch any URL returned to it and write the response body to any caller-supplied local path, with no host allowlist, content-type validation, size limit, or path restriction. In this skill context, downloading the generated video is expected, but the implementation is broader than that purpose and can be abused for arbitrary file write and unexpected network retrieval if an attacker can influence the URL or destination path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Remote content is written directly to a caller-provided filesystem path without warning, path safety checks, or confinement to a dedicated download directory. In combination with the arbitrary URL download behavior, this can overwrite unintended files or place untrusted content in sensitive locations, which is more dangerous than the skill's stated media-generation purpose requires.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal