ClawHub
Back to skill

Security audit

UGC Fashion & Activewear Product Video Generator — Fitness Ecommerce Content Creator for Social Media Influencers on TikTok, Instagram Reels

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for external media generation, with privacy caveats around uploading chosen images and narration text.

Use this skill only when you are comfortable sending selected images and narration text to the external media/TTS provider. Review files and scripts for sensitive content first. VirusTotal was pending and not treated as a negative signal, and the artifacts reviewed did not show hidden persistence or destructive behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to upload a local user-supplied image to the vendor's external service using `ima upload`, but it does not require a clear user-facing disclosure or confirmation before that transfer occurs. This is a real data-handling vulnerability because local files may contain sensitive visual content or metadata, and users may reasonably expect local analysis rather than automatic transmission to a third party.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill sends generated narration text to an external text-to-speech API without clearly disclosing that user-derived content will leave the local environment. While the script is typically less sensitive than an uploaded image, it can still contain brand plans, campaign messaging, or proprietary product details derived from user input, so silent external transfer is still a privacy and data-governance issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.