ClawHub

libtv-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent AI image/video generation integration, but users should understand it sends prompts and selected media to external services and may save generated files locally.

Install only if you trust the publisher and the configured API endpoints. Use scoped or revocable API keys, avoid command-line secrets in shared environments, do not upload confidential or regulated media unless authorized, and confirm where generated files will be saved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes networked image/video generation plus file upload, polling, and download workflows, but it does not warn users that prompts, media, and related metadata will be transmitted to third-party services. In an agent skill context, this omission can cause users to submit sensitive files or personal data without informed consent, increasing privacy and compliance risk.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill declares that virtually any request involving image or video creation or editing 'must' trigger this skill, using broad examples like common creative phrasing. This can cause unintended invocation on ordinary conversation, routing user content and files to external generation services without sufficiently precise intent matching, which increases privacy, cost, and action-misfire risk.

Vague Triggers

High
Confidence
98% confidence
Finding
The manifest trigger words include very generic terms such as '画', '生成', and '做动画', which are common in everyday conversation and not uniquely tied to this skill. Overbroad trigger vocabulary makes accidental activation likely, causing the agent to invoke external APIs or upload workflows when the user may not have intended to use this integration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide explicitly shows passing API credentials via environment variables and command-line flags, but does not warn that command-line arguments can be exposed through shell history, process listings, CI logs, and terminal recordings. In a usage guide for external API tooling, this omission can lead users to handle secrets insecurely and unintentionally leak valid credentials.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples show uploading local image files and supplying image URLs to remote video-generation providers without warning users that the referenced content will be transmitted to third-party services. This creates privacy and data-governance risk, especially if users provide sensitive local files or URLs containing private or access-controlled media.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow instructs the agent to automatically download generated results to a local Downloads directory without any notice, confirmation, or user-consent step. This can cause unexpected local writes, leak sensitive project naming into the filesystem, and violate user expectations about when files are created on disk.

Missing User Warnings

High
Confidence
96% confidence
Finding
This workflow tells the agent to upload user-provided local image/video files to an OSS URL but does not warn that local data will be transmitted to a remote service. If the user supplies sensitive media, the agent may exfiltrate private content off-device without informed consent or adequate privacy disclosure.

Missing User Warnings

High
Confidence
95% confidence
Finding
The reference-media generation flow similarly requires uploading local reference files to a remote service, again without privacy or data-transfer warnings. In the context of an agent skill, this increases the risk of unintentionally disclosing confidential images or videos simply by following the documented workflow.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal