ClawHub

video

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward video-generation wrapper for SkillBoss that sends user-provided prompts or images to a remote API and saves the returned video locally.

Install only if you trust SkillBoss with your prompts, reference images, and SKILLBOSS_API_KEY. Avoid sensitive media or secrets, use a rotatable API key, and choose a dedicated output filename or directory to avoid overwriting files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tainted flow: 'video_resp' from requests.get (line 127, network input) → pathlib.Path.write_bytes (file write)

Medium
Category
Data Flow
Content
print(f"Downloading video from {video_url}...")
        video_resp = requests.get(video_url, timeout=120)
        video_resp.raise_for_status()
        output_path.write_bytes(video_resp.content)

        # Verify and report
        if output_path.exists():
Confidence
90% confidence
Finding
output_path.write_bytes(video_resp.content)

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill explicitly instructs the user to generate an MP4 file but does not warn that the specified output path will create or overwrite a local file. This is a genuine safety/documentation issue because users may unintentionally replace an existing file or write into an unexpected location, though the impact is limited to local file handling rather than code execution.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill sends prompts and possibly input images to a remote API service using `SKILLBOSS_API_KEY`, but the description does not disclose the privacy and network implications. This is a real issue because users may provide sensitive prompts or media without realizing the content leaves the local environment and is handled by a third-party API hub.

VirusTotal

No VirusTotal findings

View on VirusTotal