ClawHub

video-generator-seedance

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Volcengine video-generation skill, with expected API use and local video downloads but some privacy and secret-handling guidance users should read.

Install only if you are comfortable using Volcengine's remote API. Store config.json carefully, do not commit it, and avoid submitting confidential prompts, private image URLs, proprietary media, or regulated personal data unless you are authorized and accept the provider's handling of that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README tells users to place a live API key in a local config.json file but does not warn about protecting the file, excluding it from version control, or using safer secret-storage mechanisms. This can lead to accidental credential exposure through commits, screenshots, backups, or shared project folders, enabling unauthorized API use and billing abuse.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README encourages use of a reference image URL with an external video-generation API without warning that the image may contain sensitive, personal, or proprietary data that will be transmitted to a third-party service. Users may unknowingly upload confidential content or private images, creating privacy, compliance, and data-governance risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that generated videos are automatically downloaded, but it does not clearly warn users that files will be written to the local filesystem, potentially to default desktop locations. Silent or insufficiently disclosed file writes can surprise users, overwrite expected locations, or create privacy issues on shared machines.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requires an API key and sends user-supplied prompts and optional image URLs to a third-party remote service, but it does not include a privacy or data-transmission warning. Users may unknowingly transmit sensitive prompts, image references, or metadata to an external provider, which is a meaningful confidentiality and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal