ClawHub

抖音生成短视频

Security checks across malware telemetry and agentic risk

Overview

This skill’s video-generation purpose is coherent, but it needs review because broad activation could lead to third-party API uploads and local file creation without clear consent boundaries.

Review before installing. Use it only for non-sensitive scripts, confirm the provider and costs before running the pipeline, use scoped API keys, and expect generated scripts, reports, and provider responses to be written locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger examples include very broad phrases such as creating content about a topic, which can match many ordinary user requests and cause the skill to activate unexpectedly. Because this skill performs search, script generation, and third-party video generation, overbroad activation increases the chance of unintended data handling and external API use without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automatic API calls to third-party avatar providers and video download/processing, but does not warn users that their prompts, generated scripts, and possibly sensitive content may be transmitted externally and stored in output files. In a content pipeline, this omission is dangerous because users may unknowingly expose confidential data or trigger billable third-party actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends full script content to third-party avatar providers (HeyGen, D-ID, Synthesia) without any consent prompt, warning, or data-classification check. If users include sensitive, proprietary, or personal data in the script, that data is disclosed to external services by design, creating privacy, compliance, and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal