ClawHub
Back to skill

Security audit

Content Engine

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed content generation workflow that uses third-party APIs and local output files in ways that match its stated purpose.

Install only if you are comfortable giving this skill TikHub, Ofox/OpenRouter, and optionally Ark credentials, and with your links, brand context, product descriptions, prompts, and generated outputs being sent to those services. Use --no-real-video to avoid Ark video charges, review generated files before sharing them, and avoid running it from a workspace with unrelated .env credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Tainted flow: 'req' from os.environ.get (line 69, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            data = json.loads(resp.read())
    except urllib.error.HTTPError as e:
        err_body = e.read().decode("utf-8", errors="replace")[:500]
Confidence
94% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.environ.get (line 186, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            data = json.loads(resp.read())
    except urllib.error.HTTPError as e:
        body = e.read().decode("utf-8", errors="replace")[:500]
Confidence
92% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.environ.get (line 186, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            return json.loads(resp.read())
    except urllib.error.HTTPError as e:
        body = e.read().decode("utf-8", errors="replace")[:500]
Confidence
92% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.environ.get (line 186, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
out_path.parent.mkdir(parents=True, exist_ok=True)
    try:
        req = urllib.request.Request(url, headers={"User-Agent": "curl/8.7.1"})
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            out_path.write_bytes(resp.read())
    except urllib.error.HTTPError as e:
        raise SeedanceError(f"HTTP {e.code} downloading video from {url[:80]}") from e
Confidence
82% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
The client searches for API keys in multiple locations, including the current working directory and shared XDG config paths, which broadens the trust boundary beyond this specific skill. In an agent environment, a malicious workspace or unexpected .env file could cause the skill to consume unintended credentials, enabling confused-deputy behavior or accidental cross-project secret use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code sends user-controlled inputs and derived content to multiple third-party services (LLM, image generation, and optionally video generation) as part of the normal workflow, but this file does not provide a clear consent gate, privacy notice, or data-minimization control before transmission. Because inputs can include links, brand context, deconstruction content, and product details, users may unintentionally disclose sensitive business or personal information to external providers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The image-generation flow incorporates user-supplied product image references into prompts and outbound generation requests without an explicit warning or confirmation that these assets will be used by an external service. If those images contain proprietary designs, customer data, or other sensitive visual information, this can cause unintended data exposure to third-party infrastructure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends shot.prompt_text to a remote video-generation service via submit_and_wait/submit_task, but this file provides no consent gate, sensitivity check, or disclosure at the point of transmission. If prompts contain proprietary campaign plans, personal data, or confidential creative material, users may unknowingly exfiltrate sensitive content to a third-party API.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
write_partial_report stores failed shot prompts verbatim in a markdown file on disk, which can expose sensitive creative briefs, personal data, or internal business context to other local users, backups, or logs. Because this happens automatically during failure handling, users may not realize confidential prompt content is being persisted.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.