ClawHub
Back to skill

Security audit

Fanqie Novel AI Video Drama Batch Generator

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform its stated AI video-generation job, but it sends novel-derived text to outside AI and TTS services and writes generated media locally.

Install only if you are comfortable sending novel text, prompts, and narration to third-party AI/TTS services. Avoid confidential, unpublished, or regulated content unless the provider terms are acceptable, and confirm ffmpeg/node-fetch are available before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends user-supplied chapter content to external AI services to generate prompts, video, images, and TTS-derived output, but there is no disclosure, consent flow, or data-minimization control. If users provide unpublished manuscripts, private stories, or regulated data, that content can be exposed to third-party processors without their awareness.

External Transmission

Medium
Category
Data Exfiltration
Content
// 漫画视频
async function genManhua(prompt, style) {
  const r = await fetch("https://api.kelingai.com/v1/video/generate", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ prompt: `${style}动漫分镜,9:16,流畅,${prompt}`, duration: 3 })
Confidence
92% confidence
Finding
fetch("https://api.kelingai.com/v1/video/generate", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
// 真人视频
async function genReal(prompt, style) {
  const r = await fetch("https://api.kelingai.com/v1/video/generate", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ prompt: `${style}真人,电影质感,9:16,${prompt}`, model: "realistic", duration: 3 })
Confidence
92% confidence
Finding
fetch("https://api.kelingai.com/v1/video/generate", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
// 封面
async function genCover(prompt) {
  const r = await fetch("https://api.kelingai.com/v1/image/generate", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ prompt: `${prompt},竖屏封面,9:16,高清` })
Confidence
89% confidence
Finding
fetch("https://api.kelingai.com/v1/image/generate", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
// 配音
async function genVoice(text, out) {
  const r = await fetch("https://openspeech.bytedance.com/api/v1/tts", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ text, voice: "cute_female", format: "mp3" })
Confidence
95% confidence
Finding
fetch("https://openspeech.bytedance.com/api/v1/tts", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
// 漫画视频
async function genManhua(prompt, style) {
  const r = await fetch("https://api.kelingai.com/v1/video/generate", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ prompt: `${style}动漫分镜,9:16,流畅,${prompt}`, duration: 3 })
Confidence
92% confidence
Finding
https://api.kelingai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
// 真人视频
async function genReal(prompt, style) {
  const r = await fetch("https://api.kelingai.com/v1/video/generate", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ prompt: `${style}真人,电影质感,9:16,${prompt}`, model: "realistic", duration: 3 })
Confidence
92% confidence
Finding
https://api.kelingai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
// 封面
async function genCover(prompt) {
  const r = await fetch("https://api.kelingai.com/v1/image/generate", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({ prompt: `${prompt},竖屏封面,9:16,高清` })
Confidence
89% confidence
Finding
https://api.kelingai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
skill.js:75