ClawHub

微信频道语音+视频实现气泡自动播报模式

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it sends user text and image prompts to external services and can overwrite files outside its intended output folder if given an unsafe output path.

Install only if you are comfortable with narration text and background prompts being processed by external generation services. Avoid secrets, personal data, or regulated content in the text or prompt, and use simple output filenames rather than paths unless you have reviewed the script. Inspect the hardcoded FFmpeg and Python paths before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The markdown instructs use of external image generation and local MP4 creation without warning that user-provided content may be sent to a third-party service and written to disk. In this skill context, that is especially relevant because the feature inherently processes arbitrary user text and prompts, so sensitive content could be disclosed externally or stored locally without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends user-provided text to edge_tts and sends the background prompt to pollinations.ai without any consent flow, warning, or data-handling notice. In a skill that may process private document content, this creates a real privacy and data-exfiltration risk because sensitive text and prompts may leave the local environment unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal