ClawHub

Seedance 2.0 Al Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Loova video-generation helper, but users should understand that prompts and selected media are sent to Loova.

Install only if you trust Loova with the prompts, media URLs, and any local files you pass with --files. Use a dedicated Loova API key, avoid sensitive or regulated media unless approved, and consider installing in a virtual environment with pinned dependency versions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation indicates use of environment variables and outbound network access, but the static finding says no permissions are declared while those capabilities are present. That mismatch is a real security issue because it can hide the skill's operational scope from reviewers and users, reducing informed consent and weakening policy enforcement around secret access and external communication.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly encourages users to pass local files with `--files` for upload to the Loova API, but it does not clearly disclose that those files leave the local machine and are transmitted to a third-party service. This can lead users to unintentionally upload sensitive images, videos, or audio, especially in agent or automation contexts where local paths may contain private data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly encourages uploading local media files to Loova's external API but does not warn users that attached files and prompts will leave the local environment and be processed by a third party. In an agent/skill context, this omission can cause users to disclose sensitive images, videos, audio, or metadata without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The agent usage section says the agent can run the script with prompts and optional files, but it does not explicitly disclose that this content is sent to a third-party service. In an autonomous or semi-autonomous agent workflow, that missing warning increases the risk of inadvertent exfiltration of user content to an external vendor.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
Confidence
95% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
Confidence
93% confidence
Finding
python-dotenv>=1.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal