ClawHub

HiAPI HappyHorse 1.0 Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward HiAPI text-to-video integration that sends prompts to a remote video-generation API and saves generated videos locally when possible.

Install only if you are comfortable sending video prompts and generation settings to HiAPI under your account. Do not include secrets, regulated personal data, or confidential business material in prompts unless your organization approves that use, and review the npx installer because it can replace an existing skill folder with the same name.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages users to submit natural-language prompts and generation requests to HiAPI but does not clearly disclose that this content is transmitted to an external third-party service. In an agent-skill context, users may include sensitive business data, proprietary concepts, or personal information in prompts, so missing disclosure increases the risk of unintended data exfiltration and privacy/compliance violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
该 README 在介绍视频生成能力、命令行调用和本地/URL 输出时,没有明确提醒用户其提示词、生成参数以及可能关联的媒体内容会被发送到第三方 HiAPI 服务处理。对 Agent 技能而言,用户常会直接输入商业创意、未公开脚本、品牌素材需求或其他敏感内容;缺少显式的数据出境/第三方处理提示,容易导致用户在不知情情况下泄露敏感信息。

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs agents to send user prompts to HiAPI and requires an API key, but it does not explicitly warn that prompts and possibly related generation parameters will be transmitted to a third-party remote service. In an agent setting, users may assume local processing unless told otherwise, creating a privacy and consent gap that can expose sensitive or regulated data.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill downloads the generated video and writes it to a local path by default (`save !== false`) without any explicit consent, warning, or disclosure in the code path performing generation. While this is not an exploit primitive by itself, it can create unexpected persistence of potentially sensitive or policy-relevant user content on disk, especially in shared or multi-user environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal