Chanjing One Click Video Creation

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Chanjing short-video generation workflow that uses expected API credentials, network calls, local media files, and ffmpeg processing.

Install only if you trust Chanjing's API/CDN and are comfortable sending scripts, prompts, audio, and generated media through that service. Keep credentials.json out of source control, use restrictive file permissions, choose an explicit output directory, and review the Chinese/East Asian prompt defaults if you need locale-neutral outputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation describes capabilities including environment-variable access, local file reads/writes, network egress, and shell/subprocess execution, yet the finding states no declared permissions are present. That mismatch weakens policy enforcement and user visibility, making it easier for a powerful skill to operate with insufficient review or sandbox constraints.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The document says '不上传' ('does not upload'), but elsewhere it describes outbound HTTPS calls and media submission to external APIs/CDN URLs as part of rendering. This is a security-relevant transparency issue: operators may believe content stays local when user scripts, audio, or media are actually transmitted to third parties.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The template hard-codes a default ethnicity profile ('East Asian' / 'natural East Asian facial features') whenever the input does not uniquely specify one. This creates demographic steering and non-user-consented identity inference in generated media, which is a safety and product-integrity issue because it injects protected-attribute assumptions into outputs rather than deriving them from explicit user intent.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The template hard-codes a China-default cultural and civilization context when prompts are otherwise unspecified, which can override user intent and silently bias generated outputs. In a content-generation pipeline, this creates a policy-level prompt injection risk: downstream models may systematically produce culturally specific people, places, and symbols even when neutrality, ambiguity, or other locales would be more appropriate.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The template declares itself as the standard planning rule for short-video generation broadly, without explicit activation criteria, exclusions, or user confirmation gates. In an agent setting, overly broad triggering can cause the skill to activate in unintended contexts and steer outputs toward this workflow even when the user's request does not fit, increasing the risk of incorrect automation or policy bypass through scope confusion.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The skill is hard-wired for Chinese-language, China-platform short-video production and does not provide a locale or language-selection path. In multi-tenant or general-purpose agent environments, this can override user intent, mishandle non-Chinese requests, and cause inappropriate platform-specific assumptions to propagate into downstream generation steps.

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: The skill requires a specific default ethnic/cultural profile without user opt-in and prohibits neutral person descriptions once a person may appear. That is dangerous because it operationalizes protected-attribute assignment as a mandatory generation rule, which can lead to biased outputs, exclusionary behavior, and systematic misrepresentation across many user requests.

Natural-Language Policy Violations

High

Confidence: 95% confidence
Finding: For historical Chinese-context outputs, the file mandates explicit 'East Asian facial features' anchoring. While likely intended to avoid culturally inaccurate image generation, it still codifies protected-attribute enforcement at the prompt-construction layer and may overconstrain identity representation in ways that are unnecessary, brittle, or discriminatory when applied broadly.

Credential Access

High

Category: Privilege Escalation
Content: description: >- 用户输入选题或工作流，自动生成完整短视频成片（文案、分镜、数字人口播与 AI 画面混剪）；调用 Chanjing Open API 与同仓库子技能脚本。 credential: credentials.json (app_id/secret_key; access_token persisted on disk) openclaw_primary_env: false machine_readable: manifest.yaml requires_ffmpeg: true
Confidence: 88% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: - **能力与管道**：步骤级说明见 **§1**；`run_render` 职责与子进程见 **§5**（不在此重复链路）。 - **主凭据 / 路径 / primaryEnv**：见 **`manifest.yaml`**；路径与写回行为另见 **§3.2** 持久性表「凭据状态」及 **`CHANJING_OPENAPI_CREDENTIALS_DIR`**（兼容 **`CHANJING_CONFIG_DIR`**）。 - **敏感与合规**：勿回显完整密钥、**勿将 `credentials.json` 提交版本库**；权限建议 **`0700` / `0600`**（配置脚本尽量设置）。 - **信任与出站行为**：HTTPS、按返回 URL 拉取媒体、**`--output-dir`** 落盘等细节见 **§3.2**「典型副作用」与持久性表；须自行判断是否信任蝉镜主机与链接。 - **浏览器**：缺凭证时的 **`webbrowser.open` / `open_login_page.py`** 见 **§3.2** 同表。 - **Agent 策略**：**`manifest.yaml`** 中 **`agentPolicy`**（非 always、不改其它 skill）。
Confidence: 86% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: | 类别 | 写入什么 | 典型位置 | 用户如何控制 | |------|----------|----------|----------------| | **凭据状态** | 经配置写入的 **`app_id` / `secret_key`**、刷新后的 **`access_token`、 `expire_in`** 等 | **`CHANJING_OPENAPI_CREDENTIALS_DIR/credentials.json`**（默认 **`~/.chanjing/credentials.json`**；兼容 **`CHANJING_CONFIG_DIR`**） | 设置推荐名或旧名；或迁移/删除该文件；**勿**将秘钥提交版本库。 | | **一键成片工件** | **`final_one_click.mp4`**、**`workflow_result.json`**、**`work/`** 等 | 由 **`run_render.py --output-dir`** 指定（常见为某次任务下的 **`outputs/<任务名>/`**） | 选用明确的 **`--output-dir`**；任务结束后按需保留或删除该目录。 | | **其它下载类脚本**（子 skill） | 合成结果等到本地 | 各 skill 的 **`download_result.py`** 等：默认多在当前工作目录下 **`outputs/<产品线>/`**，或 **`--output`** 绝对路径 | 在预期 cwd 下执行，或始终传 **`--output`**；详见对应 skill 的 **`SKILL.md`**。 | | **临时/过程文件** | TTS 合并、切段、上传前缓存等 | 多在上述 **`output-dir` 下的 `work/`** 或脚本约定子目录 | 随输出目录一并管理。 |
Confidence: 91% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: | 类别 | 写入什么 | 典型位置 | 用户如何控制 | |------|----------|----------|----------------| | **凭据状态** | 经配置写入的 **`app_id` / `secret_key`**、刷新后的 **`access_token`、 `expire_in`** 等 | **`CHANJING_OPENAPI_CREDENTIALS_DIR/credentials.json`**（默认 **`~/.chanjing/credentials.json`**；兼容 **`CHANJING_CONFIG_DIR`**） | 设置推荐名或旧名；或迁移/删除该文件；**勿**将秘钥提交版本库。 | | **一键成片工件** | **`final_one_click.mp4`**、**`workflow_result.json`**、**`work/`** 等 | 由 **`run_render.py --output-dir`** 指定（常见为某次任务下的 **`outputs/<任务名>/`**） | 选用明确的 **`--output-dir`**；任务结束后按需保留或删除该目录。 | | **其它下载类脚本**（子 skill） | 合成结果等到本地 | 各 skill 的 **`download_result.py`** 等：默认多在当前工作目录下 **`outputs/<产品线>/`**，或 **`--output`** 绝对路径 | 在预期 cwd 下执行，或始终传 **`--output`**；详见对应 skill 的 **`SKILL.md`**。 | | **临时/过程文件** | TTS 合并、切段、上传前缓存等 | 多在上述 **`output-dir` 下的 `work/`** 或脚本约定子目录 | 随输出目录一并管理。 |
Confidence: 91% confidence
Finding: credentials.json

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal