ClawHub

qwencloud-video-generation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent QwenCloud video-generation skill, but it uses a cloud API, API keys, billable requests, local media uploads, and an optional update-check workflow.

Install only if you intend to use QwenCloud/DashScope video generation and accept that prompts and selected media may leave your machine and incur charges. Use a scoped API key, avoid sensitive local files unless external processing is approved, check any custom QWEN_BASE_URL or OSS settings, and review optional npx installs, agent-config edits, and deletion commands before allowing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Tainted flow: 'req' from os.getenv (line 687, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"""Download a file from *url* to *dest*, creating parent dirs as needed."""
    dest.parent.mkdir(parents=True, exist_ok=True)
    req = urllib.request.Request(url, headers={"User-Agent": "qwencloud-ai/1.0"})
    with urllib.request.urlopen(req, timeout=timeout) as resp:
        dest.write_bytes(resp.read())
    return dest
Confidence
84% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.getenv (line 687, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
for attempt in range(retries + 1):
        req = urllib.request.Request(url, data=data, headers=hdrs, method=method)
        try:
            with urllib.request.urlopen(req, timeout=timeout) as resp:
                return json.loads(resp.read().decode("utf-8"))
        except urllib.error.HTTPError as exc:
            body = ""
Confidence
77% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill includes an update-management flow that can install another skill via `npx skills add ...` and run additional scripts unrelated to the core video-generation function. This expands the attack surface by allowing package installation and execution of new code in response to stderr signals, creating a supply-chain and privilege-expansion risk if the referenced package or skill is compromised or if the trigger is spoofed.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This file implements update prompting, installation guidance, and persistent state management that are unrelated to the declared video-generation/editing purpose of the skill. Such hidden auxiliary behavior expands the skill's authority and creates an unexpected control path that can influence the agent's environment and user decisions, which is risky in a skill that should be narrowly scoped.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill executes another skill's script via subprocess even though that capability is not justified by the stated video-generation purpose. In context, this creates an undisclosed execution chain into a separate component, so compromise or unexpected behavior in the other skill can be triggered transitively from this one.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger criteria are broad enough to match many ordinary requests about creating or editing videos, causing the skill to activate frequently. In an agent environment with shell, network, and file capabilities, over-broad triggering raises the chance of unnecessary execution of powerful tooling and accidental side effects outside the user's intended workflow.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The registry entry advertises broad trigger phrases like "generate video" and "animation," which are common user intents and can cause this skill to be invoked in situations where a more specific or safer skill-routing decision should occur. In an agent ecosystem that auto-selects skills from trigger text, overly broad matching increases the risk of unintended activation, inappropriate file reads/modifications, and confused-deputy behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example demonstrates supplying a local file path as input to a cloud video-generation workflow without any warning that the file contents may be uploaded to an external service. This can lead users to unintentionally transmit sensitive local media or embedded metadata, especially because the skill is explicitly for QwenCloud-hosted generation rather than purely local processing.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The guide tells users to send prompts and an API bearer token via curl to a third-party service without any notice that prompts, generated content parameters, and authentication material are being transmitted off-box. In a skill that may handle sensitive user prompts or proprietary media-generation requests, missing disclosure and handling guidance can lead to unintended data exposure and poor operator decisions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide states that local file inputs are auto-uploaded to DashScope temporary storage, but provides no user-facing warning that local content leaves the machine. This is risky because users may supply private images or video frames assuming local-only processing, resulting in unintended disclosure to an external service.

Missing User Warnings

Low
Confidence
96% confidence
Finding
The guide includes `rm -rf .venv` as a cleanup step without explicitly warning that it irreversibly deletes the entire `.venv` directory. While the target is a conventional virtual environment path and the surrounding context is legitimate developer setup, destructive shell commands in instructional content can still cause unintended data loss if copied blindly or if the current directory is not what the user expects.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The function silently downloads remote content and persists it locally, which can surprise users and downstream tooling and can be abused to store malicious or oversized content. In an agent skill that handles media artifacts, undisclosed remote fetch-and-write behavior increases risk because URLs may originate from external prompts or model outputs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The helper automatically converts user-supplied local paths into remotely accessible URLs via resolve_file and mutates the request in place, which can cause unintended upload of local files to an external service. In a video-generation skill, users are likely to provide image, audio, or video inputs as file paths, so silent exfiltration of local content is realistic if there is no explicit consent, path restriction, or validation of what may be uploaded.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal