ClawHub
Back to skill

Security audit

Toonany

Security checks across malware telemetry and agentic risk

Overview

This looks like a real AI video-production skill, but it needs review because it handles API keys and sends story/media content to external AI services without strong privacy and secret-handling safeguards.

Install only if you are comfortable sending story text, prompts, reference images, dialogue, and generated media to the configured AI providers and possibly incurring API costs. Use environment variables or a secret manager for keys, avoid echoing keys or putting them in project.json, do not process confidential manuscripts without permission, and keep projects in a private directory because intermediate files and exports can contain sensitive creative material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]

    try:
        subprocess.run(cmd, capture_output=True, check=True)
        if ass_path != subtitle_path:
            ass_path.unlink()
        logger.info(f"Burned subtitles: {output_path.name}")
Confidence
76% confidence
Finding
subprocess.run(cmd, capture_output=True, check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises access to environment variables, networked APIs, file reads/writes, and shell tools via metadata and workflow descriptions, but it does not declare an explicit permission model for those capabilities. That creates a trust and containment gap: an agent may perform sensitive operations such as reading API keys, writing files, or invoking ffmpeg/python without a clear least-privilege boundary or user-visible authorization expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to paste story content, upload files, and configure API keys for multiple third-party AI providers, but it omits any warning that uploaded manuscripts, scripts, and project data may be transmitted to external services and retained under those providers’ policies. This can expose unpublished creative works, sensitive training materials, or proprietary content, and poor key-handling guidance increases the risk of accidental credential disclosure or unsafe storage.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README markets a one-command end-to-end workflow without warning that it generates and stores many intermediate artifacts and media files on local disk. Users may unknowingly create large persistent outputs containing source text, derived scripts, images, audio, and final videos, which can consume storage and leave sensitive creative material recoverable on shared or unmanaged systems.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation criteria are broad enough to trigger on generic requests involving story creation, script writing, or video production, which can cause the skill to activate outside the user's intended scope. Over-broad auto-activation increases the chance that a high-capability skill with network, file, and shell access is invoked unnecessarily, expanding attack surface and enabling unintended data handling or command execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tutorial tells users to paste or upload novel content for processing, but it does not disclose that this material will be sent to third-party model providers such as DeepSeek, Volcengine, Kling, and TTS services. That creates a real data-handling and privacy risk, especially if users submit copyrighted, confidential, or sensitive unpublished manuscripts under the assumption processing is local.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The 'quick' / one-command workflow implies a simple guided action, but the documented pipeline actually fans out into multiple external API calls and produces many derivative files across the project directory. Without warning, users may unknowingly trigger broad data sharing, incur costs, and create persistent local artifacts containing story content, prompts, assets, audio, subtitles, and final video outputs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt instructs users to run `echo $DEEPSEEK_API_KEY` and similar commands, which prints secrets in cleartext to the terminal. That can expose API keys through screen sharing, terminal logging, shell history capture tools, or copied session transcripts, which is unnecessary for simple presence checks.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill is written entirely in Chinese and directs the assistant's interaction style without providing any user-language detection, fallback, or consent. This can cause unsafe or misleading operation for users who do not understand Chinese, including misunderstanding workflow constraints, tool actions, or selection prompts, which is a real quality/safety issue in an agentic workflow.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The command documentation explicitly says it will check API keys in project.json and resolve ${ENV_VAR} syntax, which implies accessing credential-bearing configuration and environment variables. Without a clear warning about what data may be read, displayed, or logged, users may expose secrets unintentionally, especially in an agent workflow where command outputs can be surfaced broadly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly shows API keys being written directly into `project.json`, which encourages insecure credential handling even if labeled 'not recommended'. Users frequently copy example configs verbatim, and storing secrets in project files increases the risk of accidental commits, local leakage, and reuse in shared environments. In this skill's context, multiple third-party model providers are involved, so exposed keys could enable unauthorized API use and billing abuse across several services.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The TTS client places the API key directly in the request URL query string (`api_key=...`). Query-string secrets are commonly exposed through proxy/server access logs, monitoring tools, browser/history artifacts, error reports, and downstream telemetry, making accidental credential disclosure more likely than if the secret were sent in an authorization header. In this skill, the code is an API utility used for media generation workflows, so compromise of the TTS key could allow unauthorized API use, billing abuse, or access to the associated service account.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/generate_assets.py:338

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/generate_audio.py:264

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/generate_storyboard_images.py:309

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/generate_video.py:279