ClawHub

muapi-media-editing

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward muapi.ai media-editing wrapper, with expected but sensitive uploads and API-key handling users should understand.

Install only if you are comfortable sending selected media and prompts to muapi.ai and any downstream providers it uses. Prefer setting MUAPI_KEY in your shell or a secret manager instead of using --add-key; if you do use .env, keep it private, out of source control, and permission-restricted. Avoid uploading sensitive, regulated, or unauthorized face, voice, business, or personal media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script includes a built-in `--add-key` feature that persists the API key locally in a `.env` file, which is unrelated to the core lipsync operation and expands the skill's handling of secrets. This increases the risk of accidental credential exposure through permissive file permissions, repository inclusion, backups, or shared working directories.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages users to submit images, videos, audio, and prompts to external AI services but does not warn that potentially sensitive media and text will leave the local environment. This creates a real privacy and data-handling risk, especially for personal media, biometric content such as faces and voices, or confidential business assets.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script offers a convenience flag that persists the MUAPI API key into a local .env file without warning the user that the credential will be stored on disk in plaintext. This increases the chance of accidental exposure through weak filesystem permissions, backups, shell history workflows, or committing .env into source control.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
When local files are supplied, the helper automatically uploads them to the remote muapi.ai service, but the interface provides no explicit privacy or data-transfer warning at the point of use. For image-editing workflows this can include sensitive personal photos, biometric face images, or proprietary media, so silent remote transfer meaningfully increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes the API key directly to `.env` without any warning that this stores a reusable secret on disk. Users may unknowingly leave credentials in plaintext where they can be exposed via source control, local compromise, or other processes reading the workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes the API key to .env in plaintext without warning the user about local credential persistence or applying restrictive permissions. On shared systems or in accidentally committed project directories, this can expose the key and allow unauthorized API usage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal