ClawHub

Alicloud Ai Video Wan Video

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Alibaba Cloud DashScope video-generation skill with expected cloud upload, credential, download, and local-output behavior.

Install only if you intend to use Alibaba Cloud DashScope. Use a dedicated API key, avoid private or regulated prompts/images unless approved for that provider, treat local reference-image paths as uploads to Alibaba Cloud, and periodically clean saved task logs and generated-media URLs from the output directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to save task IDs, polling responses, final video URLs, and end-to-end logs, but it does not mention retention limits, redaction, or privacy implications. Those artifacts can contain prompts, URLs to generated media, operational metadata, and potentially sensitive user content, increasing the risk of unintended disclosure or long-term data accumulation.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation states that local reference images are auto-uploaded to DashScope and prompts are sent for generation, but it provides no warning that local files and user-provided content will be transmitted to an external third-party service. In contexts involving private images, proprietary media, or regulated data, this can cause serious confidentiality and compliance issues because operators may unknowingly exfiltrate sensitive content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reference explicitly states that local files provided as `reference_image` are automatically uploaded to DashScope, but it does not warn users that supplying a local path causes data transmission to a third-party service. In a video-generation integration skill, this can lead to accidental exfiltration of sensitive local images if developers pass filesystem paths assuming purely local processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal