ClawHub

llm-video-generator

Security checks across malware telemetry and agentic risk

Overview

The skill matches its stated video-generation purpose, but users should know it uses an undeclared ZhipuAI API key/dependencies and sends prompts or images to ZhipuAI.

This appears suitable for its stated purpose if you intend to use ZhipuAI for video generation. Before installing, make sure you are comfortable providing a ZhipuAI API key, sending prompts/images to that provider, and storing generated task metadata in the chosen output folder.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Using the skill will use the user's ZhipuAI account and may consume quota or incur provider charges.

Why it was flagged

Core generation requires the user's ZhipuAI API key, even though the registry metadata declares no primary credential or required env vars.

Skill content
Environment:
    ZHIPU_API_KEY  Required. ZhipuAI API key.
...
api_key = os.environ.get("ZHIPU_API_KEY")
Recommendation

Use a scoped or limited ZhipuAI API key if available, monitor usage/costs, and revoke the key if you no longer use the skill.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Prompts, uploaded images, and continuation frames are processed by an external provider as part of video generation.

Why it was flagged

For image-based modes, local image files are converted to base64 data URLs and sent with prompts to the ZhipuAI video generation API.

Skill content
if os.path.isfile(img):
    img = image_to_base64_url(img)
...
response = client.videos.generations(
    model="cogvideox-3",
    prompt=prompt,
    image_url=image_url,
Recommendation

Avoid using private or sensitive images/prompts unless you are comfortable sending them to ZhipuAI under its terms and retention policies.

#
ASI06: Memory and Context Poisoning
Info
What this means

Prompt text and result metadata may remain on disk after generation completes.

Why it was flagged

The script stores generation metadata, including the prompt, in JSON files under the selected output directory.

Skill content
task_info = {
    "task_id": task_id,
    "mode": args.mode,
    "prompt": args.prompt,
    "timestamp": time.strftime("%Y-%m-%d %H:%M:%S"),
}
Recommendation

Choose an appropriate output directory and delete task/result JSON files if the prompt or generated video URL is sensitive.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installation or execution may fail unless the local environment already has the expected Python path, Python packages, and video tools.

Why it was flagged

The scripts depend on ffmpeg/ffprobe and a ZhipuAI Python client, but the registry metadata lists no required binaries and no install spec.

Skill content
cmd = [
    "ffmpeg", "-y",
    "-f", "concat",
    "-safe", "0",
    "-i", list_path,
Recommendation

Before installing, confirm ffmpeg/ffprobe, the ZhipuAI Python client, and /opt/anaconda3/bin/python3 are available, or update the skill metadata/install instructions.