ClawHub

Video Script Writer

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only Chinese short-video writing helper with no evidence of hidden execution, data access, persistence, or credential handling.

Install this if you want a Chinese short-video script assistant. Be aware it may activate on broad script, recommendation, tutorial, or content-writing requests, so give explicit platform and video-script context when using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation guidance is very broad and includes common writing-related phrases such as '脚本', '短视频文案', and '分镜', which can match many ordinary user requests. This can cause the skill to activate when the user did not intend to use it, leading to prompt-routing errors, unnecessary context loading, and reduced user control over how requests are handled.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The mode trigger descriptions are generic ('tell me the topic', 'give me a theme') and do not define clear boundaries for when each mode should be used. In an agentic system, vague triggers increase the chance of accidental activation or incorrect mode selection, which can steer the assistant into the wrong workflow and produce irrelevant or policy-misaligned outputs.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The automatic keyword-to-template mapping uses highly common words like '推荐', '如何', '体验', and '知识', which appear in many unrelated requests. This broad matching can misclassify normal conversation as a short-video scripting task, causing unintended template loading and overreach by the skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal