ClawHub

HeyVideoGen

Security checks across malware telemetry and agentic risk

Overview

This is a coherent video-generation skill, but its helper script can execute shell commands built from user or generated text, so it should be reviewed carefully before installation.

Install only if you are comfortable running a shell-based video pipeline in a controlled workspace. Use limited-scope API keys, avoid sensitive scripts or proprietary prompts unless you trust the downstream providers, and do not pass untrusted project names or generated storyboard text until the helper script is changed to use shell=False with validated paths and arguments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def cmd(cmd: str, cwd=None, shell=True):
    print(f"\n>>> {cmd}")
    result = subprocess.run(cmd, cwd=cwd, shell=shell, capture_output=False)
    return result.returncode == 0
Confidence
98% confidence
Finding
result = subprocess.run(cmd, cwd=cwd, shell=shell, capture_output=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to run shell commands and write files throughout the workflow, but it does not declare any permissions or capability boundaries. This creates a mismatch between what the skill can cause an agent to do and what reviewers or policy controls can transparently enforce, increasing the risk of unintended filesystem changes or command execution.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script constructs shell commands from user-influenced values and executes them through the generic cmd() wrapper. Inputs include project names, narration text, panel prompts, and paths; if any contain shell metacharacters or quote-breaking payloads, the process can execute arbitrary commands with the agent's privileges.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases include very broad everyday requests such as '做视频' and '生成视频', which can match many unrelated user intents. Over-broad activation can cause this skill to take over conversations unexpectedly and then drive shell/file actions that the user did not specifically request in this workflow.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill states it may be proactively recommended whenever the videogen skill responds, which creates ambiguous chaining between skills without a clear user request. This can lead to unintended invocation escalation, where one skill response causes another skill with shell and file-writing behavior to be introduced or activated unnecessarily.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The command at initialization interpolates the user-supplied project name directly into a shell command executed with shell=True. A crafted project name containing shell syntax could execute arbitrary commands or write outside the intended workspace, which is especially dangerous because this script operates on project directories and build tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The video-generation command embeds untrusted prompt text and output paths into a shell command. Because prompts come from storyboard content derived from the user topic and possibly model output, an attacker can inject shell syntax through content generation and gain arbitrary command execution, while also causing external API actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal