ClawHub

GoAI Video Gen

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed GoAI video-generation skill that sends prompts and any chosen images to GoAI, then saves and returns the generated video link.

Install only if you trust GoAI with the prompts and images you choose to provide. Avoid passing private or sensitive local images unless you are comfortable uploading them to GoAI, keep GOAI_API_KEY private, leave GOAI_BASE_URL at the default unless you intentionally trust another endpoint, and treat returned media URLs as externally shareable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description uses broad verbs like 'create', 'generate', and 'make videos', which can over-match ordinary user requests and cause this skill to activate outside a narrow, user-expected GoAI context. In practice, that can route prompts or local image inputs to a remote third-party service when the user did not clearly intend to use this provider.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill states that local image paths are uploaded and that resulting URLs are returned, but it does not prominently warn users about the privacy consequences, including transfer of local content to a remote service and possible public accessibility of generated media URLs. This is dangerous because users may provide sensitive local files under the assumption they stay local.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code automatically uploads any non-URL image path provided by the caller to a remote GoAI-controlled service, with no explicit user-facing notice or confirmation at the point of exfiltration. In an agent setting, local paths may contain sensitive user images, so silent transfer off-host creates a real privacy and data-handling risk even if the upload is necessary for functionality.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The function downloads arbitrary remote media and writes it to a caller-specified path on disk without a user-facing warning. While writing output files is expected for a media-generation skill, silent persistence can surprise users, overwrite files, or leave unreviewed content on disk if higher-level code does not clearly disclose the behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script accepts local file paths and remote image URLs, resolves them, and sends the resulting image data to an external GoAI video-generation API without any explicit consent prompt, warning, or visibility to the user about third-party transmission. In an agent-skill context, this can cause unintended exfiltration of sensitive local images or fetch-and-forward of remote content, especially when users may not realize their inputs are being uploaded off-host.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal