ClawHub

Anima

Security checks across malware telemetry and agentic risk

Overview

Anima is a mostly disclosed avatar-video generator, but it needs Review because user-controlled text, recipient IDs, and paths are placed into shell commands that can execute unintended local commands.

Review or patch the command execution paths before installing. Use preview mode for sensitive content, provide Feishu credentials only if you intend the skill to upload and send videos, and avoid untrusted script text, recipient IDs, or file paths until shell commands are replaced with safer argument-array or HTTP-client calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill goes beyond local video generation and can deliver the generated file to an arbitrary recipient via `send_video_pro.js` when `--target` is supplied. That expands the capability from content creation into outbound transmission, which creates exfiltration and misuse risk if the skill is invoked with sensitive or policy-restricted content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The `--script` argument accepts any existing local path and copies that file into the temp directory without constraining location or type. This enables the skill to read arbitrary local files accessible to the process, which is outside the stated purpose of video generation and could expose sensitive host data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Using execSync to build and execute shell commands with interpolated data materially increases the attack surface, especially because the curl command includes a secret API key and shell invocation is unnecessary here. Even if current inputs are mostly local, shell-based networking creates command-injection and secret-exposure risks and is disproportionate to the task.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script uploads a generated video and cover image to Feishu and sends them to a specified chat, but the stated skill description focuses on video generation rather than outbound messaging or data transfer. This creates a capability/expectation mismatch that can surprise users and enable unintended disclosure of generated content and recipient identifiers.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The code accesses Feishu app credentials from environment variables for a skill whose primary description is media generation, indicating undeclared external-service access. Reading credentials is not inherently malicious, but in this context it expands the trust boundary and can facilitate undisclosed messaging actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description does not prominently warn that generated videos and related content may be uploaded to Feishu/Lark and sent to specified recipients, nor that text/audio/image data may be transmitted to third-party services. In this context, omission is security-relevant because the skill handles user-provided content and API-backed outbound delivery, making accidental data exfiltration more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Gemini API key is embedded directly in the shell command URL, which can expose it through process listings, shell history, crash logs, debugging output, or monitoring tools. The code also transmits image content and prompts to an external service without any visible consent, warning, or minimization controls.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script builds shell commands with interpolated user-controlled VIDEO_PATH and executes them with execSync for ffprobe/ffmpeg. An attacker supplying a crafted argument containing shell metacharacters or quotes can achieve command injection and execute arbitrary commands on the host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code uploads video content and a cover image to Feishu and sends a message to a recipient ID without any visible consent, warning, or policy enforcement. In a video-generation skill, this broadens behavior from local processing to external sharing, increasing the risk of accidental data leakage.

External Transmission

Medium
Category
Data Exfiltration
Content
const payloadPath = path.resolve(__dirname, '../temp/_gen_payload.json');
    fs.writeFileSync(payloadPath, payload);

    const cmd = `curl -s -X POST "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash-exp:generateContent?key=${apiKey}" -H "Content-Type: application/json" -d @"${payloadPath}"`;
    const response = JSON.parse(execSync(cmd, { maxBuffer: 50 * 1024 * 1024 }).toString());

    // Clean up payload
Confidence
90% confidence
Finding
curl -s -X POST "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash-exp:generateContent?key=${apiKey}" -H "Content-Type: application/json" -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal