ClawHub

Video Director

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.

This appears safe for its stated purpose of generating video storyboard JSON. If you use the command-line helper, treat it like any local script: run it only with files you intend to process, keep output paths scoped, and note that the provided review could not fully inspect the truncated script content. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution
Low
What this means

Using the command-line mode runs local JavaScript on your machine and may read/write the files you specify.

Why it was flagged

The skill documents executing a bundled Node.js helper script. This is consistent with generating storyboard JSON and is not shown as automatic or privileged, but it is still local code execution.

Skill content
node scripts/plan.js "主题" '[{"text":"口播文案","emoji":"💡","title":"标题"}]'
Recommendation

Run it only from the installed skill directory, use intended input/output files, and review the script if you need high assurance.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The skill may not run in environments without Node.js, and the runtime expectation is clearer in the documentation than in the registry metadata.

Why it was flagged

The registry metadata does not declare a Node runtime even though SKILL.md provides Node-based execution examples. This is a metadata clarity gap rather than evidence of malicious behavior.

Skill content
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Recommendation

Confirm Node.js is available before using command-line mode; maintainers should declare the runtime requirement in metadata.