ClawHub

豆包视频创作助手

Security checks across malware telemetry and agentic risk

Overview

The skill’s video-generation purpose is understandable, but the package exposes real-looking credentials and stores user API keys and project data in plaintext without enough safeguards.

Do not install this version unless the exposed tokens have been removed and rotated. If you use it, provide only a limited-scope API key, assume prompts and reference materials may be sent to third-party generation services, avoid sensitive or private content, and do not run the bundled GitHub publishing scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document embeds a GitHub personal access token in plaintext and explicitly instructs the user to enter it as a password during `git push`. This is credential disclosure and credential misuse guidance: anyone with access to this file can reuse the token to access the associated GitHub account or repositories, and users may normalize unsafe secret-handling practices.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill hardcodes a concrete API key directly in documentation and examples, which exposes a usable credential to anyone who can read the file. In this context the key is for a real external service and the same credential is also presented as a default configuration value, so misuse, billing abuse, and unauthorized API access are plausible.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs persistence of a default API key in a local config file under the workspace, creating credential-at-rest exposure beyond transient use. Combined with the hardcoded key, this increases the blast radius because any local file disclosure, backup leak, or workspace sharing can expose the secret for continued unauthorized access.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The document exposes what appear to be real API credentials for both image and video generation services directly in a Markdown update file. Hard-coded secrets in documentation are highly dangerous because anyone with access to the repository, logs, or packaged skill can reuse them to make unauthorized API calls, incur charges, or access related service data.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script embeds a live GitHub personal access token directly in the file and also instructs the user to type it manually, which exposes a reusable secret to anyone who can read logs, source control, or terminal output. In a skill context, this is especially dangerous because scripts are often shared, cloned, or inspected by other users and agents, turning the credential leak into immediate repository compromise.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file contains what appears to be a live ClawHub authentication token embedded directly in a login command. Publishing secrets in documentation or logs can enable unauthorized access to the associated account, package publishing actions, or other platform resources if the token is still valid.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example trigger phrase '用豆包帮我生成一个产品宣传视频' is broad natural-language wording that overlaps with ordinary user requests for video creation. In agent environments that infer skill activation from examples or trigger phrases, this can cause unintended invocation of the skill during normal conversation, leading to accidental execution flow, user confusion, or unintended use of external services.

Missing User Warnings

High
Confidence
98% confidence
Finding
The markdown not only exposes a GitHub credential but operationalizes its use by telling the reader exactly where to paste it. In a publish guide, this is especially dangerous because it appears routine and trustworthy, increasing the chance the secret will be reused, captured, or propagated into logs, screenshots, shells, or other systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly instructs collecting and saving the user's API key to a local configuration file, but provides no warning, consent step, masking, or protection guidance. Persisting secrets in plaintext-like project/config storage increases the risk of credential theft through local compromise, logs, backups, or accidental sharing of the workspace.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow asks users to provide documents, URLs, images, and notes for analysis and generation, but does not disclose that this content may be transmitted to external model/API providers. This creates a privacy and compliance risk because users may unknowingly submit sensitive proprietary, personal, or regulated data to third parties.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide tells users to create a public repository and push local contents, but it does not clearly warn that this immediately publishes all tracked files to an external service. In a skill-packaging context, that omission increases the risk of accidental disclosure of tokens, private configs, internal docs, or embedded data if the pre-publish review was incomplete or wrong.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The troubleshooting section recommends a force push but only says to use it cautiously, without explaining that it can overwrite remote history and destroy existing repository state. A user following the guide could unintentionally erase collaborators' work or replace the remote branch with unintended local contents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly instructs the user to create a public GitHub repository and push the local project without any meaningful privacy review beyond a brief checklist item saying '无敏感信息'. In an agent/skill context, this can lead users to unintentionally publish secrets, internal code, tokens, or proprietary data, especially because the instructions emphasize speed and simplicity over verification.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly encourages users to provide product images, documents, and links, but gives no warning that these materials may contain confidential, personal, or proprietary data. In a skill that sends user-supplied content to external AI/video-generation services, this omission increases the risk of unintended data disclosure to third-party APIs or logs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The configuration instructions ask users to supply API keys but do not explain secure handling, storage location, rotation, or the risks of placing credentials in project files or shared environments. This can lead users to expose secrets in plaintext configs, shell history, screenshots, or repository contents, enabling unauthorized use of their accounts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs first-time users to provide an API key but does not warn that credentials are sensitive, should not be pasted into normal chat, and may be persisted locally. In an agent skill context, encouraging users to disclose secrets conversationally increases the risk of accidental exposure through logs, transcripts, screenshots, or downstream storage.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation specifies local persistent storage of API credentials in a config file without any warning about sensitivity, file permissions, or safer storage mechanisms. Persisting secrets on disk in a predictable location can expose them to other local users, backups, sync tools, or accidental sharing.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The example dialogue shows a user pasting a full API key directly into the conversation, normalizing unsafe handling of credentials. In chat-based systems this can leak secrets into conversation logs, telemetry, debugging traces, or UI history, making unauthorized reuse of the key more likely.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill asks users to provide and save an API key but does not warn them about credential storage, reuse risk, local persistence, or who can access the stored key. In a skill that already hardcodes and persists secrets, the lack of disclosure materially increases the chance users will expose production credentials without informed consent.

Missing User Warnings

High
Confidence
91% confidence
Finding
The skill states that it analyzes reference materials and generates video through an external API, but it does not clearly tell users that documents, links, images, and prompts may be transmitted to third-party services. Because reference materials may contain proprietary or personal data, omission of this disclosure creates a real data exfiltration and privacy risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The project-level API key is persisted in plaintext JSON on disk under a predictable workspace path, and the code gives no warning, consent flow, or protection such as restrictive file permissions. If the workspace is shared, backed up, logged, or later exposed through another bug, the credential can be recovered and abused against the external API.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The global configuration saves the default API key in plaintext to a fixed file path under /root/.openclaw/workspace, with no user-facing disclosure and no visible hardening of file permissions. Storing long-lived credentials this way increases the chance of accidental disclosure through local access, backups, misconfigured permissions, or subsequent file-read vulnerabilities elsewhere in the system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script creates a public GitHub repository from the current directory and pushes its contents with `--source=. --push` without an explicit confirmation that all files in the directory will be uploaded publicly. This can unintentionally expose secrets, private assets, configuration files, or unrelated local content if the user runs the script from the wrong directory or has not audited the repository contents.

Missing User Warnings

High
Confidence
96% confidence
Finding
The script performs `git push --force` automatically without any confirmation, which can overwrite remote history and destroy collaborators' commits. In an automation/agent skill, lack of an interactive safety check makes accidental destructive execution much more likely, especially if invoked in the wrong repository or branch.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The skill persists full project state, including references, notes, script content, and user identifiers, to disk under /root without any user-facing disclosure, retention controls, or access restrictions shown. In an agent environment, silent persistence of potentially sensitive user-provided content can create confidentiality and privacy risk, especially on shared or long-lived hosts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal