ClawHub

Video Pro by cza999

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for AI video generation, but it keeps sensitive scripts and license details in plaintext while making stronger privacy and licensing claims than the artifacts support.

Review before installing. Avoid using confidential scripts unless you accept plaintext local logging, delete or protect ~/.video-pro and ~/openclaw-video-pro/logs after use, use a dedicated OpenAI API key with spending limits, and inspect the external openclaw-video repository and npm dependencies because they are not fully represented in this skill package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script accepts any non-trial license key that merely starts with "VIDEOPRO-" and then grants a permanent license until 2099 without any real server-side validation, signature verification, or binding to a legitimate purchase. This makes premium activation trivially bypassable by anyone who knows the expected prefix, undermining licensing controls and enabling unauthorized access to paid features.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly documents API and webhook flows that send user-provided script content and authorization tokens to third-party domains, but it does not clearly disclose this data transmission or its privacy/security implications before use. In a skill that encourages users to submit potentially sensitive business, marketing, or training content, this omission can lead to unintended exposure of confidential data and credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script stores the full license key, username, hostname, and activation history in plaintext under the user's home directory and appends them to a log file. This can expose sensitive licensing data and host identity to other local users, backups, support bundles, or malware, increasing the risk of credential reuse, privacy leakage, and license theft.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script appends the full user-supplied video prompt to a persistent log file, which can expose sensitive or proprietary content to other local users, backups, support bundles, or later compromise of the host. In this skill context, prompts may contain business plans, personal data, API-relevant text, or confidential media scripts, so silent retention increases privacy and data-handling risk.

External Transmission

Medium
Category
Data Exfiltration
Content
### REST API
```bash
# 生成视频
curl -X POST https://api.video-pro.cza999.com/generate \
  -H "Authorization: Bearer $LICENSE_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
curl -X POST https://api.video-pro.cza999.com/generate \ -H "Authorization: Bearer $LICENSE_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### REST API
```bash
# 生成视频
curl -X POST https://api.video-pro.cza999.com/generate \
  -H "Authorization: Bearer $LICENSE_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
https://api.video-pro.cza999.com/

External Transmission

Medium
Category
Data Exfiltration
Content
}'

# 批量生成
curl -X POST https://api.video-pro.cza999.com/batch \
  -H "Authorization: Bearer $LICENSE_KEY" \
  -F "scripts=@scripts.txt" \
  -F "template=education"
Confidence
94% confidence
Finding
https://api.video-pro.cza999.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal