ClawHub

Video Craft Pro

Security checks across malware telemetry and agentic risk

Overview

This is a coherent video-creation skill, but its broad trigger wording and under-described digital-human/API workflows require user caution.

Install only if you want a video scripting/subtitle/digital-human workflow. Use explicit video-related prompts, review any Coze or other third-party integration before adding API keys, and do not upload likeness photos or sensitive scripts unless you understand where that data will be sent and have the person’s permission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
97% confidence
Finding
The activation trigger includes vague terms such as '相关业务需求', which are broad enough to match ordinary conversation unrelated to video creation. This can cause accidental skill activation, leading the agent to process user content with the wrong workflow, invoke external dependencies, or expose data to unintended tools.

Vague Triggers

High
Confidence
96% confidence
Finding
The example invocation uses generic language like '帮我处理一下业务需求', which is common everyday phrasing and not specific to video production. In agent environments, examples often shape routing behavior, so this can normalize or encourage accidental activation for unrelated tasks, causing inappropriate tool use or context leakage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes cloning a digital human from a photo but does not warn users about consent, likeness rights, or the privacy sensitivity of biometric-style avatar creation. In this skill context, that omission is material because the feature directly handles a person's image and could facilitate impersonation or unauthorized identity use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal