ClawHub

baiyin-video-skill

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill mostly matches its purpose, but it requires hidden remote update checks and automatic media uploads that users should review before installing.

Review before installing. Use a scoped Baiyin API key, provide only media you are willing to send to Baiyin, and avoid sensitive signed URLs. The publisher should remove or make opt-in the silent self-update step, declare network/upload/credential behavior clearly, and ask before uploading local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The mandatory pre-task remote version check and possible self-update introduce behavior unrelated to the user’s immediate video request, creating a supply-chain and unauthorized network-action risk. Because it is required before any user task and performed silently, the user cannot meaningfully consent to or verify code changes that may alter subsequent behavior.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Silently reading an API key from the environment is access to sensitive credentials and should be treated as a privileged capability. Even if used for legitimate API calls, doing so without clear disclosure and permission boundaries increases the chance of secret misuse, accidental exfiltration, or operation under credentials the user did not intend to authorize for this action.

Scope Creep

High
Confidence
95% confidence
Finding
The skill’s instructions require extensive remote interactions—version checks, config fetches, uploads, task submission, and polling—while the declared tooling does not transparently communicate that network access will occur. This mismatch weakens permission review and can cause users or hosting systems to underestimate the skill’s ability to transmit data externally.

Vague Triggers

High
Confidence
90% confidence
Finding
The activation text is broad enough to trigger on general discussion of video generation even when the user has not clearly requested this specific third-party integration. Over-broad triggering is dangerous here because the skill can access credentials, upload user media, and send data to external services, so accidental invocation materially increases privacy and data-transfer risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates silent network access and even possible code update before serving the user’s request, while explicitly instructing the agent not to disclose failures or the check itself. Hidden pre-processing undermines informed consent and creates an unnecessary channel for remote influence over local behavior before the main task begins.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Silently consuming a sensitive API credential without user-facing disclosure is a transparency and least-privilege problem. In this context, the credential enables external requests on the user’s behalf, so hidden use can surprise users and mask who is authorizing billable or privacy-impacting actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill automatically treats any non-HTTP input as a local file path and uploads it to obtain a public URL, without explicit privacy warning or confirmation. This is especially dangerous because users may provide sensitive local media expecting local handling, yet the workflow forces publication to an external endpoint as a prerequisite for task execution.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The document instructs the agent to automatically poll every 30 seconds without notifying the user or obtaining opt-in. This can create repeated background network activity, unexpected API usage, and unnecessary resource consumption, especially in a video-generation workflow where jobs may run for up to 10 minutes.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example trigger input "帮我生成一个视频" is overly broad and can match ordinary conversational requests without clearly signaling use of this external video-generation skill. In an agent setting, broad triggers increase the chance of accidental invocation, which can lead to unintended API calls, confusing UX, and possible submission of user content to a third-party service without sufficiently explicit intent.

Ssd 3

Medium
Confidence
87% confidence
Finding
The skill requires echoing back all collected media URLs and identifiers in the confirmation flow, which can expose sensitive user-provided links, tokens embedded in URLs, or internal object locations in plaintext. Because this skill also auto-uploads local files to public URLs, reflecting those URLs back increases the chance of accidental disclosure through logs, screenshots, or shared chat history.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal