ClawHub

文生图视频生成

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only media-generation workflow that openly uses cloud upload and an external generation API, so it is acceptable but should be used only with non-sensitive media.

Install only if you are comfortable sending selected assets, prompts, and generation metadata to Alibaba Cloud OSS and api.wuyinkeji.com. Keep private or sensitive images out of the assets folder, and verify the referenced spreadsheet and third-party retention/access settings before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to upload a locally selected asset from the workspace to Alibaba Cloud OSS and then use the resulting URL with a third-party generation platform, but it does not clearly disclose this data transfer or require user confirmation. This creates a real data exfiltration risk because local files from the agent environment may be transmitted to external services without informed consent, even if the intended content is only media assets.

External Transmission

Medium
Category
Data Exfiltration
Content
### 3. 调用生成脚本
参考资料"防汛脚本20260309.xlsx",资料中每一行,对应生成一个视频,每次生成一个,根据用户提示词确定生成哪一个。生成视频时,按具体行对视频要求来生成

调用聚合平台接口生成,接口参考:https://api.wuyinkeji.com/doc/60。
生成时长默认15秒,视频清晰度默认large。
Confidence
92% confidence
Finding
https://api.wuyinkeji.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### 4. 查看结果
调用聚合平台接口查看结果,接口参考:https://api.wuyinkeji.com/doc/36

生成的视频保存在:`/home/xihu/.openclaw/workspace/output/<标题>.mp4`,标题来源“防汛脚本20260309.xlsx”
Confidence
83% confidence
Finding
https://api.wuyinkeji.com/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal