ClawHub

Vidu official video generation. Image to video / Text to video / Reference to video / Text to image / Reference to image / Video edit / Image edit

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Vidu cloud media-generation skill, with ordinary privacy cautions around uploaded media, API tokens, and debug logs.

Install only if you trust vidu-cli and Vidu with the prompts, media files, URLs, task details, and account quota data you provide. Use a limited VIDU_TOKEN where possible, avoid private or regulated files unless approved, and leave VIDU_DEBUG off except for trusted local troubleshooting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README instructs users to submit text prompts, images, audio, and video to a remote third-party API but does not clearly warn that this transfers potentially sensitive data off the local machine. In an agent-skill context, users may assume the tool operates locally or may pass private media and prompts through automation, increasing the risk of unintended disclosure of personal, confidential, or regulated data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly documents a debug mode that prints full API response bodies to stderr, but gives no warning that responses may contain sensitive metadata, task details, URLs, or other user-linked content that could end up in terminal history, CI logs, shared screenshots, or centralized log collection. In an agent/CLI context, verbose logging is commonly enabled during troubleshooting, so the lack of a caution materially increases the chance of accidental data exposure.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README promotes uploading images, audio, and video to the Vidu API and downloading generated outputs, but does not clearly warn users that their media and prompts are transmitted to a remote third-party service. For an agent skill, this matters because users may assume local processing and unintentionally send sensitive personal, proprietary, or regulated content to an external provider.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation explicitly states that local file paths will be auto-uploaded and remote URLs will be passed through to the server, but it does not prominently warn users that using these features transfers potentially sensitive local media or causes the server to fetch third-party resources. In an agent skill context, this increases the risk of unintended data disclosure or privacy violations if a user or upstream prompt supplies private files or internal URLs without understanding they will leave the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal