ClawHub
Back to skill

Security audit

llm-video-generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward video generator that sends prompts and selected images to ZhipuAI, with no evidence of hidden, destructive, or unrelated behavior.

Install this only if you are comfortable using ZhipuAI for video generation and sending prompts, selected images, and continuation frames to that service. Use a scoped API key where possible, watch provider quota and costs, and avoid sensitive media unless external processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs execution of Python scripts, shell commands, network API calls, environment-variable use, and file creation, yet it declares no corresponding permissions. This creates a transparency and governance gap: users and policy systems cannot accurately assess or constrain what the skill can do, increasing the risk of unintended data access, arbitrary command execution, and outbound transfer during operation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When a user supplies a local file path, the script silently reads the image, base64-encodes it, and transmits it to the remote ZhipuAI video-generation API. In an agent setting, this can cause unintended exfiltration of sensitive local images because the data transfer is implicit and not clearly disclosed or gated by explicit user consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.