ClawHub

高光集锦

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sparki cloud video-editing skill, with expected privacy considerations around uploading videos and storing local API/history data.

Install this only if you trust Sparki to process the videos you choose to upload. Prefer the default Sparki API endpoint, avoid base-url overrides unless you control the endpoint, and use environment variables or protect/clear the OpenClaw config files if the machine is shared or backed up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The instruction to use this skill 'FIRST and PROACTIVELY' for a very broad set of common video-related terms can cause over-selection of this skill even when a simpler or safer workflow is more appropriate. That kind of trigger hijacking can steer user interactions toward an external service and away from user intent or least-privilege tool choice.

Missing User Warnings

Low
Confidence
67% confidence
Finding
Project history is persisted locally without explicit user disclosure, which can create a privacy issue on shared systems by leaving behind task IDs, workflow metadata, and timestamps. In this skill context the danger is limited because the stored content is not obviously highly sensitive, but undisclosed retention still increases exposure and surprises users.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The save() method writes the API key into a JSON config file on disk with no visible indication of permission hardening, encryption, or user-facing disclosure. Storing bearer credentials in plaintext increases the risk of credential theft from local compromise, backups, shared machines, or overly permissive filesystem settings.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal