ClawHub
Back to skill

Security audit

video by remotion

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate video-generation skill, but its local Qwen TTS path can execute shell commands built from editable project configuration.

Install only if you are comfortable with a local build/render tool that runs make, npm, Python, ffmpeg, Remotion, and TTS tools. Treat project configs and content files as trusted input, especially before running Qwen targets; inspect tts.pythonEnv conda names, venv paths, and custom config/content arguments. Do not use Edge TTS for confidential narration unless sending that text to the online TTS service is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"  [venv] {venv_path}")
                print(f"  Running: {shell_cmd}\n")
                try:
                    subprocess.run(
                        ["bash", "-c", shell_cmd],
                        check=True, cwd=root,
                    )
Confidence
98% confidence
Finding
subprocess.run( ["bash", "-c", shell_cmd], check=True, cwd=root, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"  [conda] env={conda_name}")
            print(f"  Running: {shell_cmd}\n")
            try:
                subprocess.run(
                    ["bash", "-c", shell_cmd],
                    check=True, cwd=root,
                )
Confidence
99% confidence
Finding
subprocess.run( ["bash", "-c", shell_cmd], check=True, cwd=root, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs the agent to perform filesystem operations and invoke shell commands, yet it does not declare any permissions or capability boundaries. This creates a governance and least-privilege problem: a user or platform may assume the skill is low-risk while it can scaffold projects, write files, and run build/render pipelines that execute local tooling and reach the network via dependency installation and Edge TTS.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill metadata explicitly requires all operations to use make commands, but this reference file teaches users to invoke bare `npx remotion render` commands directly. That inconsistency can cause agents or users to bypass the intended wrapper workflow, which may skip safety checks, standardized environment setup, logging, or policy constraints enforced by the Makefile.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The default `tts` target sends subtitle/content data to Edge TTS, an online service, without making that network transfer explicit at the point of use. In a video-production skill, input content may contain proprietary scripts, internal training material, or sensitive narration text, so silently choosing a remote service can cause unintended data disclosure and privacy/compliance issues.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The shell-based TTS invocation executes config-derived values with only informational logging and no validation or escaping. In this skill context, project config/content are expected inputs to the pipeline, so treating them as shell-safe makes the pipeline materially more dangerous because opening or rendering an untrusted project could execute arbitrary host commands.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal