ClawVideo Generation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward JSON2Video helper, with the main risk being that video content and a local payload preview may expose user-provided text or media URLs.

Install only if you are comfortable sending your video prompts, narration text, overlays, image URLs, audio URLs, and related metadata to JSON2Video. Avoid putting secrets, confidential business data, personal data, or private internal URLs in configs, and be aware that the script prints a truncated payload preview to stdout.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill accepts image URLs, audio URLs, voice text, and AI prompts, then submits them to the external JSON2Video API, but the description does not clearly warn users that this content leaves the local environment for third-party processing. This can lead to unintended disclosure of sensitive media, script text, affiliate content, or proprietary prompts to an external service.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script prints a payload preview before submission, and that payload can contain sensitive prompts, scene text, and third-party media URLs supplied in the config. In CLI, CI, or shared logging environments, this can leak user content or internal URLs to logs without clear consent, especially since the tool also sends the full payload to an external API.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal