ClawHub

短视频一键生成器

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but its normal video-generation path can run unsafe local shell commands from user-supplied text or paths.

Install only after reviewing or sandboxing the Python script. Avoid untrusted video topics, scripts, titles, subtitles, or output paths until shell command construction is fixed; use limited provider keys, keep OPENAI_BASE on a trusted host, and do not submit confidential content unless the selected AI provider is acceptable for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd, timeout=120):
    """运行命令,返回 (ok, stdout)"""
    try:
        r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
        return r.returncode == 0, r.stdout.strip()
    except subprocess.TimeoutExpired:
        return False, "Timeout"
Confidence
98% confidence
Finding
r = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# edge-tts 命令行
            safe_text = text.replace('"', '\\"').replace("'", "\\'")
            cmd = f'edge-tts --voice zh-CN-XiaoxiaoNeural --text "{safe_text}" --write-media "{output_path}"'
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)
            if result.returncode == 0 and Path(output_path).exists():
                size_kb = Path(output_path).stat().st_size / 1024
                log(f"  🔊 Edge TTS: {Path(output_path).name} ({size_kb:.0f}KB)")
Confidence
97% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=60)

Tainted flow: 'OPENAI_BASE' from os.environ.get (line 53, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
for attempt in range(retries + 1):
        try:
            resp = requests.post(
                f"{OPENAI_BASE}/images/generations",
                headers={
                    "Authorization": f"Bearer {OPENAI_API_KEY}",
Confidence
90% confidence
Finding
resp = requests.post( f"{OPENAI_BASE}/images/generations", headers={ "Authorization": f"Bearer {OPENAI_API_KEY}", "C

Tainted flow: 'OPENAI_BASE' from os.environ.get (line 53, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
for attempt in range(retries + 1):
        try:
            resp = requests.post(
                f"{OPENAI_BASE}/audio/speech",
                headers={
                    "Authorization": f"Bearer {OPENAI_API_KEY}",
Confidence
90% confidence
Finding
resp = requests.post( f"{OPENAI_BASE}/audio/speech", headers={ "Authorization": f"Bearer {OPENAI_API_KEY}", "Content

Tainted flow: 'img_url' from requests.post (line 263, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
data = resp.json()
            if data.get("base_resp", {}).get("status_code") == 0:
                img_url = data["data"]["image_urls"][0]
                img_resp = requests.get(img_url, timeout=30)
                if img_resp.status_code == 200:
                    with open(output_path, "wb") as f:
                        f.write(img_resp.content)
Confidence
87% confidence
Finding
img_resp = requests.get(img_url, timeout=30)

Tainted flow: 'img_url' from requests.post (line 263, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
data = resp.json()
            if "data" in data and data["data"][0].get("url"):
                img_url = data["data"][0]["url"]
                img_resp = requests.get(img_url, timeout=30)
                if img_resp.status_code == 200:
                    with open(output_path, "wb") as f:
                        f.write(img_resp.content)
Confidence
87% confidence
Finding
img_resp = requests.get(img_url, timeout=30)

Tainted flow: 'audio_url' from requests.post (line 337, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
data = resp.json()
            if data.get("base_resp", {}).get("status_code") == 0:
                audio_url = data["data"]["audio_url"]
                audio_resp = requests.get(audio_url, timeout=30)
                if audio_resp.status_code == 200:
                    with open(output_path, "wb") as f:
                        f.write(audio_resp.content)
Confidence
87% confidence
Finding
audio_resp = requests.get(audio_url, timeout=30)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The claim of being 'self-contained' and having 'no external dependencies' is contradicted by the documented need for MiniMax API access, Python packages, and system-installed FFmpeg. Misrepresenting operational dependencies can cause operators to underestimate supply-chain, privacy, and execution risks when installing or approving the skill.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill sends user-provided topic/content to external AI services and performs local rendering, but the description does not warn users about data handling, retention, or third-party processing. This is risky because prompts, scripts, and generated media may contain sensitive or proprietary information that users do not expect to leave their environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The material instructs users to provide their own MiniMax or OpenAI API keys, but gives no guidance on secure storage, scope restriction, billing risk, or what data will be sent to third-party services. In the context of a paid automation tool that processes user prompts and content externally, this omission can lead to credential leakage, unexpected charges, or privacy exposure if users paste keys into insecure configs or share sensitive input.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The product listing markets the tool as fully automatic for scripting, image generation, voice synthesis, subtitles, and rendering, but does not warn that prompts, scripts, audio text, and related content may be transmitted to external AI/TTS providers. Because this skill is explicitly designed for batch content generation and commercial use, users may process client or sensitive material without realizing the privacy, compliance, and data handling implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal