ClawHub

文生视频 16ea34

Security checks across malware telemetry and agentic risk

Overview

This is an informational ComfyUI/text-to-video guide with sloppy duplicated routing text, but no code, credential use, persistence, or hidden high-impact behavior.

Install only if you want a lightweight Chinese-language reference for ComfyUI/text-to-video workflows. Expect some noisy or duplicated content and broad activation on related keywords; review linked tutorial sources yourself before following any installation advice from those external videos.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger conditions are broad and generic, such as matching users who 'need help' with text-to-video topics, which can cause the skill to activate in unrelated conversations. In an agent system, overly broad routing increases the chance of unintended invocation, prompt hijacking of user workflows, and exposure to unvetted external-content-derived guidance.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest trigger list contains vague, trend-like, and generic phrases, including broad topic labels and marketing wording, making accidental matches more likely. Because this skill is built from merged external video-derived content, loose triggers increase the chance that noisy or irrelevant content is surfaced in response to ordinary user requests.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The merged sections repeat the same broad trigger strategy, compounding the routing problem and expanding the surface for unintended activation. Repetition across merged skill fragments suggests poor curation of imported content, which raises the risk that unrelated or low-quality material will be injected into agent responses when broad keywords are mentioned.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal