ClawHub
Back to skill

Security audit

Dygod Movies

Security checks across malware telemetry and agentic risk

Overview

This movie-search skill is purpose-aligned on the surface, but it ships hardcoded NAS credentials and can create or delete Synology download tasks without clear safeguards.

Review carefully before installing. Replace and rotate the embedded NAS credentials, move configuration to secure user-supplied secrets, use HTTPS where available, require explicit confirmation before every download or deletion, restrict allowed URI schemes and destination folders, add authentication to the FastAPI service, and pin dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tainted flow: 'data' from requests.get (line 561, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
data["destination"] = destination
    
    try:
        resp = requests.post(url, data=data, timeout=15)
        result = resp.json()
        
        if result.get("success"):
Confidence
84% confidence
Finding
resp = requests.post(url, data=data, timeout=15)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Listing and deleting DownloadStation tasks expands the skill from content lookup and download initiation into management of existing NAS jobs. If exposed through the agent without strong confirmation and authorization boundaries, a user or prompt injection could inspect activity or delete active downloads, causing integrity and availability issues.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This file goes beyond passive movie/TV querying and includes authenticated management of a Synology Download Station, including listing, creating, and deleting tasks on an internal NAS. That materially expands the skill's privilege and attack surface, making a content-retrieval skill capable of causing state-changing actions on a private device.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The skill hardcodes credentials for an internal Synology NAS and uses them to authenticate automatically over the network. Hardcoded secrets are a severe issue because anyone with code access can recover them, and the capability is especially dangerous here because it grants access to a private internal device unrelated to simple content scraping.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents one-click NAS downloads and task deletion without prominent safety warnings or clear confirmation requirements for operations that change system state. In an agent setting, insufficient friction around these actions increases the risk of unintended downloads, storage consumption, or deletion of existing tasks through ambiguous user requests or prompt injection.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code embeds Synology username and password directly in source and uses them for network login without disclosure. This exposes credentials to anyone who can inspect the repository, logs, backups, or packaged skill contents, and creates unauthorized access risk to the NAS.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill can create download tasks on a Synology NAS as a direct side effect, but there is no built-in confirmation gate, approval workflow, or warning that a remote state-changing action will occur. In an agent setting, that makes accidental or induced downloads much more likely, especially since links originate from scraped third-party content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The /download endpoint accepts attacker-controlled magnet and destination values and immediately triggers a backend download/write operation to a Synology NAS without validation, authorization, or confirmation. In this skill's context, that is especially sensitive because the stated purpose includes one-click downloads to storage, making it easy to abuse for unauthorized content downloads, storage exhaustion, or writes to unintended locations depending on how download_movie handles destination paths.

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.115.0
uvicorn>=0.32.0
httpx>=0.27.0
requests>=2.32.0
Confidence
93% confidence
Finding
fastapi>=0.115.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.115.0
uvicorn>=0.32.0
httpx>=0.27.0
requests>=2.32.0
beautifulsoup4>=4.12.0
Confidence
93% confidence
Finding
uvicorn>=0.32.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.115.0
uvicorn>=0.32.0
httpx>=0.27.0
requests>=2.32.0
beautifulsoup4>=4.12.0
Confidence
93% confidence
Finding
httpx>=0.27.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.115.0
uvicorn>=0.32.0
httpx>=0.27.0
requests>=2.32.0
beautifulsoup4>=4.12.0
Confidence
93% confidence
Finding
requests>=2.32.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
uvicorn>=0.32.0
httpx>=0.27.0
requests>=2.32.0
beautifulsoup4>=4.12.0
Confidence
92% confidence
Finding
beautifulsoup4>=4.12.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
requests

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.