ClawHub

Jianying Video Compose

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only video automation skill that uses disclosed remote APIs, but users should avoid private media unless they trust the service and transport details.

Install only if you are comfortable sending chosen media and text to the listed Eastmoney/Jianying proxy endpoints. Do not use confidential or regulated content until you verify the service owner, access controls, retention/deletion policy, and whether HTTPS media download URLs are supported.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to upload local files to a remote OSS endpoint but does not warn that local content will be transferred to an external service or discuss sensitivity, retention, or authorization requirements. In an automation context, this can lead users to unknowingly send confidential media or embedded metadata to non-local infrastructure, increasing privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference explicitly instructs users to upload media files to remote OSS and proxy video service endpoints, but it does not disclose that user-provided images, videos, and audio are transmitted off-system to third-party or remote infrastructure. In a media-processing skill, this omission can lead operators to unknowingly send sensitive content to external services, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation constructs downloadable media URLs over plain HTTP, which exposes media filenames, bucket names, and file contents to interception or tampering by a network attacker. Because this skill handles uploaded media and generated video assets, insecure transport materially increases the risk of data leakage and content substitution during retrieval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal