ClawHub

ClipMatrix — TikTok/IG AI Video Factory

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a social video automation tool, but it also contains under-disclosed host-level and credential-handling behavior that users should review carefully before installing.

Install only if you are comfortable granting this skill access to your social publishing accounts, Metricool token, local media library, and some OpenClaw credential/profile files. Review or remove the host-level cleanup/proxy code before running it on your main machine, and run it in an isolated environment with a dedicated config, dedicated workspace directory, and limited API credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (60)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for attempt in range(3):
        try:
            r = subprocess.run(
                [HF_NODE, HF_BIN, "render", "-o", output_path,
                 "--resolution", resolution, "--quality", quality,
                 "--fps", "30", str(_WORK_DIR)],
Confidence
83% confidence
Finding
r = subprocess.run( [HF_NODE, HF_BIN, "render", "-o", output_path, "--resolution", resolution, "--quality", quality, "--fps", "30", str(_W

subprocess module call

Medium
Category
Dangerous Code Execution
Content
SCRIPT = os.path.join(os.path.dirname(__file__), 'run_and_notify.py')

def cleanup_chrome():
    subprocess.run(['pkill', '-9', '-f', 'Google Chrome'], capture_output=True, timeout=5)

def cleanup_workspace():
    ws = os.path.join(os.path.dirname(__file__), '..', get_path("workspace_dir"))
Confidence
93% confidence
Finding
subprocess.run(['pkill', '-9', '-f', 'Google Chrome'], capture_output=True, timeout=5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
        # 代理阻断,杀进程重试
        if attempt < 2:
            subprocess.run(['pkill', '-9', '-f', 'MacPacketTunnel'], capture_output=True, timeout=5)
            time.sleep(2)
    return ""
Confidence
99% confidence
Finding
subprocess.run(['pkill', '-9', '-f', 'MacPacketTunnel'], capture_output=True, timeout=5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"fileExtension": "mp4"
        })

        r = subprocess.run(["curl", "-s", "-X", "PUT",
            f"{api_url}/v2/media/s3/upload-transactions?{base_q}",
            "-H", "Content-Type: application/json", "-H", auth_h,
            "-d", s3_start_body],
Confidence
93% confidence
Finding
r = subprocess.run(["curl", "-s", "-X", "PUT", f"{api_url}/v2/media/s3/upload-transactions?{base_q}", "-H", "Content-Type: application/json", "-H", auth_h,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if any(p["network"] == "instagram" for p in _providers):
            _body["instagramData"] = {"autoPublish": True}
        post_body = json_lib.dumps(_body)
        r4 = subprocess.run(["curl", "-s", "-w", "\n%{http_code}",
            "-X", "POST", f"{api_url}/v2/scheduler/posts?{base_q}",
            "-H", "Content-Type: application/json", "-H", auth_h,
            "-d", post_body],
Confidence
94% confidence
Finding
r4 = subprocess.run(["curl", "-s", "-w", "\n%{http_code}", "-X", "POST", f"{api_url}/v2/scheduler/posts?{base_q}", "-H", "Content-Type: application/json", "-H", auth_h,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cdn_url = ""
        if upload_type == "SIMPLE":
            r2 = subprocess.run(["curl", "-s", "-o", "/dev/null", "-w", "%{http_code}",
                "-X", "PUT", "-T", video_path,
                "-H", "Content-Type: video/mp4",
                "-H", f"x-amz-checksum-sha256: {file_hash_b64}",
Confidence
89% confidence
Finding
r2 = subprocess.run(["curl", "-s", "-o", "/dev/null", "-w", "%{http_code}", "-X", "PUT", "-T", video_path, "-H", "Content-Type: video/mp4",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"parts": completed_parts,
                }
            }
            r_comp = subprocess.run(["curl", "-s", "-w", "\n%{http_code}",
                "-X", "PATCH",
                f"{api_url}/v2/media/s3/upload-transactions?{base_q}",
                "-H", "Content-Type: application/json", "-H", auth_h,
Confidence
88% confidence
Finding
r_comp = subprocess.run(["curl", "-s", "-w", "\n%{http_code}", "-X", "PATCH", f"{api_url}/v2/media/s3/upload-transactions?{base_q}", "-H", "

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 没有CDN URL时用raw S3 URL
            s3_url = f"https://{bucket}.s3.eu-west-1.amazonaws.com/{key}"
            encoded_url = quote(s3_url, safe="")
            r3 = subprocess.run(["curl", "-s", "-w", "\n%{http_code}",
                f"{api_url}/actions/normalize/image/url?url={encoded_url}&{base_q}",
                "-H", auth_h], capture_output=True, text=True, timeout=30)
            parts3 = r3.stdout.strip().rsplit("\n", 1)
Confidence
86% confidence
Finding
r3 = subprocess.run(["curl", "-s", "-w", "\n%{http_code}", f"{api_url}/actions/normalize/image/url?url={encoded_url}&{base_q}", "-H", auth_h], capture_outpu

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with open(tmp, "wb") as f:
                    f.write(part_data)
                # 用-D捕获响应头获取ETag
                r_p = subprocess.run(["curl", "-s", "-D", "/tmp/mc_hdr" + str(pn),
                    "-o", "/dev/null", "-w", "%{http_code}",
                    "-X", "PUT", "-T", tmp,
                    "-H", "Content-Type: video/mp4",
Confidence
87% confidence
Finding
r_p = subprocess.run(["curl", "-s", "-D", "/tmp/mc_hdr" + str(pn), "-o", "/dev/null", "-w", "%{http_code}", "-X", "PUT", "-T", tmp,

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This template builds HTML with untrusted scene data and assigns it to innerHTML, allowing attacker-controlled headline or subtitle content to inject arbitrary markup or script-bearing elements into the rendered page. In this skill, the data appears to come from external composition input for automated batch video generation, which increases exposure because one malicious payload could propagate across many rendered outputs or any browser-based preview/render environment.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The template renders untrusted scene data into the DOM using innerHTML for both subtitle and tag content. An attacker controlling the JSON payload can inject arbitrary markup and potentially script-capable elements or event handlers, leading to DOM XSS in the rendering environment; in a batch video-production skill, a single malicious payload could affect many generated jobs or operator sessions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The embedded JSON exposes absolute local filesystem paths from a developer workstation (for example, a /Users/... path). This leaks internal environment details that are unnecessary for runtime operation and can aid reconnaissance by revealing usernames, directory structure, naming conventions, and source media organization. In this social-video template context, the leakage is not directly exploitable for code execution, but it is still an avoidable information disclosure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The workspace cleanup deletes every file and most directories under a configurable path without validating that the resolved path is confined to a dedicated safe directory. If workspace_dir is misconfigured, tampered with, or points to a shared location, this can cause destructive data loss well beyond the tool's stated batch video purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Killing all Chrome processes is broader than necessary for batch content generation and gives the skill disruptive control over the host environment. In this context, the capability is more dangerous because the tool is intended to run repeatedly across many accounts, multiplying the chance of collateral disruption.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The notifier contains logic to kill a local process to work around connectivity issues, creating behavior far outside its stated purpose. This can disable VPN/proxy protections or interrupt other software, making the host less secure and violating user expectations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file advertises itself as a simple Feishu notifier with token caching, but it also includes destructive process-termination behavior not disclosed by the module description. This mismatch is security-relevant because it conceals side effects that can impair local protections and makes review and safe use harder.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
If the requests library is unavailable, the function accepts any provided license as valid and upgrades the user to the pro plan without verification. This creates a straightforward license-bypass condition where an attacker or user can intentionally remove the dependency or run in an environment without requests to gain unauthorized access.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
On any network exception, the code reports the license as accepted and enables the pro plan even though validation did not occur. An attacker can exploit this by blocking network access, tampering with DNS, or otherwise forcing request failures to bypass license enforcement.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads API credentials from a shared local auth-profiles store unrelated to the declared function of generating video scripts. Accessing a broad credential cache expands the trust boundary and can silently appropriate secrets belonging to other tools or providers, creating unauthorized credential use and possible lateral data exposure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code silently falls back from DeepSeek to MiMo/Xiaomi, sending the same prompt to a second external provider without an explicit trust decision. This changes where data is transmitted and processed, which can violate user expectations, data handling assumptions, or contractual restrictions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The MiMo key loader searches shared local auth profiles for Xiaomi/MiMo credentials even though the skill's role is script generation. Scanning a common credential store for matching provider names can unintentionally capture unrelated secrets and use them for outbound requests, increasing the blast radius of a compromise or misconfiguration.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The module is presented as fetching AI insights, but this code issues authenticated POST requests that create and modify Metricool dashboards. That is a real integrity-impacting side effect because simply invoking the feature can alter remote account state without an explicit consent boundary, and the skill manifest does not clearly disclose this broader administrative behavior.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The code contains undisclosed brand-specific filtering for 'Pandajourneys' and travel-related keywords, causing the skill to selectively process content in a way not described to the user. In an agent skill, hidden targeting logic is risky because it can bias outputs, manipulate account analysis, or repurpose the skill for a specific campaign without transparent authorization.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring states the code only gets insights, but the implementation also creates dashboards, adds content, and launches sync jobs. This mismatch is security-relevant because callers may treat the function as read-only and invoke it in contexts where remote mutations are not expected or approved.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements Cloudflare site analytics collection for a specific domain, which is materially different from the declared skill purpose of batch social video production and publishing. This mismatch is dangerous because it can disguise unauthorized access to website telemetry and account data behind an unrelated manifest, reducing user scrutiny and enabling covert data collection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal