ClawHub

DramaAIStudio(AI影视工场)

Security checks across malware telemetry and agentic risk

Overview

The skill fits its DramaAIStudio purpose, but it uses persistent agent rules, stored tokens/state, and recurring background jobs that can repeatedly access and share project media, so users should review it carefully before installing.

Install only if you are comfortable giving the skill an iDrama API token and allowing it to keep local state. Prefer host-managed secrets over .env storage, avoid putting tokens directly into cron command text where possible, review or disable scheduled monitoring unless you need it, and treat returned image/video URLs as sensitive links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to read and modify MEMORY.md to persist behavior rules unrelated to the core remote API calls. This creates cross-session persistence and prompt-scope expansion, allowing the skill to influence future agent behavior beyond the immediate task.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
Persisting current-project context in session_state.json adds local state management that is not strictly necessary for API usage and was not clearly declared in the skill purpose. While lower risk than credential storage, it still creates unintended local data retention and possible cross-session leakage of project metadata.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly recommends storing the API token in a local .env file for reuse. Persisting credentials in skill-local files increases the chance of credential theft, accidental disclosure, reuse by unrelated tasks, or inclusion in backups/logs.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The cron implementation goes beyond calling the documented DramaAIStudio APIs and directs the agent to execute generic bash/OpenClaw cron commands with interpolated parameters and tokens. This introduces command-execution and autonomous background-action capability that can be abused for persistence, unintended actions, or misuse of sensitive context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill suggests writing authentication tokens to .env without a prominent upfront warning about persistence risks. Users may consent without understanding that credentials remain on disk and may be reused or exposed later.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions to append/update MEMORY.md and session_state.json do not provide a clear user-facing warning that local files will be modified. Silent local writes undermine transparency and can surprise users with persistent behavioral or metadata changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The cron feature describes ongoing background monitoring and automatic result delivery without a strong warning about repeated API access, continual execution, and persistence of background jobs. Users may unintentionally authorize durable automation with recurring access to project data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API documentation states that `save` defaults to true, meaning an optimization request will write back and modify storyboard prompt data unless the caller explicitly disables persistence. This is risky because users or integrators may reasonably expect an 'optimize' operation to be preview-only by default, leading to unintended content changes, overwrites, or automation side effects in creative projects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes a concrete `result_video_url` containing share-stream query parameters such as `su_scene`, `su_exp`, and `su_sig`, which appear to be access-control tokens or signatures. Even if the hostname is illustrative, showing the full tokenized URL format without an explicit warning encourages logging, copying, or exposing bearer-style links that could grant unintended access to generated video assets until expiry.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script stores `final_urls`—described in the header as short-lived signed URLs—inside the persisted snapshot JSON on disk. Even if temporary, signed URLs are bearer-style access tokens to media resources, so writing them to local files increases exposure through backups, shared workspaces, logs, or other local users; the skill context makes this more relevant because it handles project media assets that may be sensitive unpublished creative content.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill directs periodic collection of project diffs and automatic return of clickable resource URLs into the user conversation. In context, this creates an automated data exfiltration path from the remote platform into chat, which may disclose sensitive project assets or review material more broadly than intended.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to inspect token sources, reveal masked token fragments and origin, and optionally persist the token. Even masked display and source disclosure can normalize credential handling in chat and increase the chance of accidental exposure or unsafe storage.

Ssd 4

Medium
Confidence
89% confidence
Finding
The workflow chains background-job creation, continuous project querying, diff extraction, and user feedback into a durable automated disclosure loop. While framed as collaboration support, it materially expands data flow and persistence, increasing the chance of oversharing sensitive production information over time.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal