ClawHub

HiAPI Seedance 2.0 Video

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent HiAPI video-generation integration, with expected third-party API use and limited local writes, but users should understand what data is sent and where outputs are saved.

Install only if you intend to use HiAPI for video generation. Prompts, media URLs or data URIs, and generation settings may be sent to HiAPI using your API key, and generated videos may be saved locally under outputs or returned as remote URLs. Keep HIAPI_BASE_URL pointed at a trusted HiAPI endpoint, avoid submitting secrets or private media unless approved, and back up any locally modified copy before running the npx installer because it can replace the existing skill folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes generation features, local saving to `outputs/`, and fallback to returning remote video URLs, but it does not present a clear privacy/data-handling warning that user prompts and supplied media are transmitted to HiAPI, a third-party service. In a skill intended for agent use, that omission can cause users or downstream agents to submit sensitive images, audio, or prompts without informed consent, increasing confidentiality and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This is a real issue because the skill explicitly sends user prompts and user-supplied media URLs to HiAPI, an external third-party service, but the user-facing description does not warn about that data transfer. Users may provide sensitive prompts, internal URLs, or proprietary media without understanding that this information leaves the local environment, creating privacy, confidentiality, and compliance risks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill enables implicit invocation without any visible trigger constraints or exclusion criteria, which can cause the agent to call this external video-generation capability when the user did not explicitly request it. Because this skill sends user prompts to a third-party API and may incur cost or expose sensitive prompt content, broad auto-invocation increases the risk of unintended data disclosure, surprise actions, and billing abuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installer unconditionally removes any existing skill directory at the destination before cloning, and in non-interactive or --yes mode this happens without a confirmation prompt. This can cause unintended data loss or replacement of locally modified content, especially because the target path can be influenced by flags or environment variables and the script is explicitly designed to run unattended via npx.

External Transmission

Medium
Category
Data Exfiltration
Content
```text
POST https://api.hiapi.ai/v1/tasks
GET https://api.hiapi.ai/v1/tasks/{taskId}
```

Set `HIAPI_BASE_URL` to override the host.
Confidence
75% confidence
Finding
https://api.hiapi.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal