ClawHub

雀影

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese-language video prompt and storyboard helper with local document editing permissions but no evidence of hidden code, credential access, network behavior, or persistence.

Install only if you are comfortable with a Chinese-first video prompt workflow. Use it in a project folder and review any files it writes or edits, especially generated prompts that you plan to paste into external video or image platforms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill hard-requires all prompts to be written in Chinese without giving the user a language choice. This can override user intent, reduce usability for non-Chinese speakers, and cause unsafe misunderstandings if users cannot accurately review or modify generated prompts before using them on external platforms. In this skill, the issue is less severe than code-execution or data-exfiltration flaws, but it is still a genuine policy/UX safety weakness because the tool generates content intended for direct downstream use.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The image-generation section separately mandates Chinese-only prompts, again without user opt-in or fallback behavior. This can impair user comprehension of the generated image prompts and increase the chance that users submit prompts they do not fully understand to image tools, especially when they need to verify sensitive visual details, consent boundaries, or policy compliance. The surrounding skill is a creative video-production workflow, so the context makes this more of an accessibility and safe-operation issue than a high-risk security flaw.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal