ClawHub

AI视频完整制作工作流

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only AI video workflow guide with no hidden code, credential use, or destructive behavior found.

Install only if you want a structured AI-video production workflow. Before using it, confirm where any project folder or checklist will be created, and avoid uploading private or confidential images to third-party AI tools unless you accept that platform's handling of the content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description uses very broad activation examples such as generic requests to make or learn AI video creation, which can overlap with ordinary conversational help rather than a clearly scoped skill invocation. This can cause unintended routing or automatic activation, leading the agent to apply a rigid workflow when the user may only want narrow advice, increasing the chance of mis-execution or context confusion.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The 'automatic execution' section states that the skill should run when users make common everyday requests like 'help me make an AI video' or 'how to make AI video' without any boundary checks or exclusions. In an agent system, ambiguous auto-activation can misroute user intent, override more appropriate skills or normal chat handling, and create unreliable behavior that an attacker could exploit with prompt phrasing to force this workflow.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The workflow explicitly instructs creation of a project folder under the user's Desktop and generation of a progress file, but it does not require notifying the user or obtaining consent before modifying the local filesystem. In an agent skill context, silent or assumed file writes can violate user expectations, create privacy issues, and lead to unwanted persistence of sensitive project data on disk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow tells users to upload reference images and first-frame images to external AI tools without warning that those assets may contain sensitive, personal, or proprietary information. In a media-production skill, this increases the risk of accidental disclosure of private images, copyrighted material, or confidential project content to third-party services.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal