ClawHub
Back to skill

Security audit

Sauce Duck Video Maker

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate RunningHub videos as advertised, but it stores and exposes the user's API key and changes global OpenClaw configuration in ways users should review first.

Install only if you trust this skill with a RunningHub API key and are comfortable with it being saved in local OpenClaw config. Prefer a limited or disposable RunningHub key, verify the host is www.runninghub.cn or www.runninghub.ai before running tasks, and avoid using this in terminals or automation where command output and process arguments may be logged.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill asks the agent to collect and persist a RunningHub API key in local configuration, creating long-lived credential exposure beyond a single video-generation request. Persisting user secrets increases the blast radius of any compromise, accidental logging, later misuse, or cross-task access by other components.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The --check path returns and prints the stored apiKey in cleartext, directly disclosing a secret from the user's local OpenClaw configuration. A helper script for configuring a video-generation skill does not need to reveal the full credential, and in the skill context this makes secret theft or accidental logging materially more dangerous because users may run it in terminals, wrappers, or automation that capture stdout.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This script is not limited to video-generation behavior; it reads and modifies the user's global OpenClaw configuration under ~/.openclaw/openclaw.json. That creates persistent side effects outside the skill's stated purpose and can silently change how the platform resolves and runs the skill, which is risky in an agent/plugin context.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The set_host path can enable the skill and set RH_HOST in the global config without any trust boundary checks, confirmation, or restrictions on the supplied host. In practice this can redirect the skill to an attacker-controlled backend or alter local skill behavior persistently, which is more dangerous than the advertised meme-video function suggests.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script accesses a per-user OpenClaw configuration file, extracts both the service host and the skill API key, and returns them as JSON. For a skill whose stated purpose is generating comedic multilingual videos, reading credential material from a general user config is unnecessary and creates a clear secret-exposure path if this helper is invoked by other components or logged.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill handles a sensitive API key without any clear user-facing warning that the credential will be collected and saved for future use. Users may provide a high-value secret without understanding retention, storage location, who can access it, or the consequences if the environment is compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends the host, API key, and task parameters to an external RunningHub service without explicitly warning the user that their data and credentials will be transmitted off-platform. This is risky because it can expose secrets and user inputs to third-party infrastructure, potentially subject to different logging, retention, or regional privacy practices.

Missing User Warnings

High
Confidence
99% confidence
Finding
Printing the API key to stdout exposes the credential to shell history, terminal logs, CI logs, parent processes, and any tool capturing command output. Because this script is specifically meant to manage a stored secret, emitting that secret without warning or access control is a direct secret-disclosure flaw rather than a harmless usability issue.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
save_config writes directly to ~/.openclaw/openclaw.json, and the overall script flow allows this to happen with no prior warning, review, backup, or confirmation. Silent modification of user configuration is a security-relevant behavior because it creates persistent state changes that may be abused or may break the user's trusted environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
After loading the user's configuration, the script prints the extracted host and API key directly to stdout. Outputting credential-related data without warning, masking, or access controls is dangerous because stdout is commonly captured by parent processes, logs, telemetry, or other tools, turning a local config read into credential disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script takes the API key as a command-line argument and then uses it in a bearer Authorization header. Passing secrets via argv is dangerous because they can be exposed through shell history, process listings, job logs, or orchestration metadata, even if the HTTPS transport itself is encrypted. In this skill context, the script is intended for automation around a third-party service, so users are likely to run it in shared CI/agent environments where command-line secret leakage is a realistic risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal