ClawHub

code2animation

Security checks across malware telemetry and agentic risk

Overview

The skill’s video and TTS purpose is coherent, but it includes an unauthenticated audio-generation endpoint that can run shell commands from request input, so it needs review before installation.

Install only if you are comfortable reviewing and hardening it first. Run it in an isolated local workspace, avoid exposing the Vite server to a network, do not provide secrets such as GEMINI_API_KEY, and do not submit sensitive scripts to TTS unless you accept that text being sent to an external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The browser-detection logic builds shell commands with execSync using environment-controlled input: PUPPETEER_EXECUTABLE_PATH is trusted directly, and browser lookup uses shell execution via `which ...`. More importantly elsewhere in this file, the script also uses `spawn(..., { shell: true })`, which broadens attack surface and can enable command execution through shell interpretation in environments where PATH, npm, or shell behavior is attacker-influenced. In an agent skill context, silently spawning local processes is more dangerous because the skill can execute host commands beyond its apparent rendering purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code enumerates every iframe in the document and sends playback-control data using postMessage with a wildcard target origin ('*'). Any embedded third-party or compromised iframe can receive timing and control metadata, which creates an unintended cross-origin data exposure and could aid tracking, synchronization abuse, or downstream message-handling attacks in embedded content. In this skill context, the presence of multiple iframes and automated syncing makes the issue more dangerous because the application appears designed to coordinate external embedded media at runtime.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
In record mode, the app publishes internal control functions such as seekTo and getTotalDuration onto the global window object. This increases the attack surface because any script running in the page context, including injected or third-party scripts, can invoke these functions to manipulate playback state or extract render metadata. The impact is limited because this is gated behind record mode and mostly exposes control primitives rather than secrets, but it is still an avoidable capability leak.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code builds a shell command using untrusted input from the HTTP request body: `const command = `npx tsx "${scriptPath}" ${projectId}`;` and executes it with `exec`. An attacker can supply shell metacharacters in `projectId` to achieve arbitrary command execution on the host running the Vite dev server, which is especially dangerous because this endpoint requires no authentication or input validation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that TTS audio is generated using Microsoft Edge TTS and later lists Internet access as a requirement, but it does not warn users that input text may be transmitted to an external service. In a video-generation workflow, users may include unreleased scripts, proprietary marketing copy, or sensitive content, so omission of this disclosure can cause unintended data exposure to a third party.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description 'A video clip preview tool to preview and export videos' is broad and does not clearly define the specific trigger conditions, data scope, or operational boundaries for invoking the skill. Overly broad skill descriptions can cause the agent to select this skill in unintended contexts, potentially exposing user content or invoking export functionality when a narrower, purpose-specific tool should have been used.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The stylesheet imports fonts directly from Google Fonts, which causes client browsers to contact a third-party service when the page loads. That request can expose metadata such as IP address, user agent, locale, referrer, and timing information without any disclosure or consent mechanism, making this a real privacy issue even though it is common practice and not overtly malicious.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code accepts postMessage events from any origin and uses the received data to update iframe timeline state, then responds to the parent with a wildcard target origin. Without validating event.origin and event.source, any window able to message this iframe can drive its behavior and potentially interfere with application state or cross-frame coordination. In this animation runtime the exposed action is limited to timeline seeking, so impact is constrained, but the trust boundary violation is real.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script passes ffmpeg the `-y` flag, which forces overwriting the computed output file without any confirmation. If the derived `*-compressed` file already exists, running the script will silently destroy prior data, which is especially risky in automation or repeated runs where users may not notice the overwrite.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically deletes the computed frames directory with `fs.rmSync(..., { recursive: true, force: true })` before rendering, with no confirmation or safety guard. Although the path is rooted under the expected output directory, it includes user-influenced projectId in the directory name and performs destructive filesystem actions automatically, which is risky for an agent-executed skill and could cause data loss if path assumptions change or identifiers collide.

Missing User Warnings

High
Confidence
98% confidence
Finding
`define: { 'process.env.GEMINI_API_KEY': JSON.stringify(env.GEMINI_API_KEY) }` injects the secret API key into client-side bundled code at build time. Any user of the application can recover this key from the browser bundle or runtime environment and abuse it to access the upstream API, incur costs, or impersonate the application.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal