ClawHub

Sora Video

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenAI Sora video-generation CLI with normal setup, billing, file, and API-key risks for that purpose.

Install only if you are comfortable using your own OpenAI API key for billable Sora operations. Prefer installing uv through a trusted package manager or by reviewing/verifying the installer first, avoid uploading confidential media unless allowed by your policy, monitor API spending, and confirm video IDs before using delete.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and relies on capabilities including environment variable access, filesystem interaction, and network access, yet declares no permissions. This creates a transparency and trust problem: an agent or platform may execute the skill with broader capabilities than a reviewer or user expects, increasing the chance of unintended secret exposure, local file access, or outbound data transfer.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The delete command performs an irreversible remote API deletion immediately when invoked, with no confirmation prompt, dry-run safeguard, or extra validation. In a CLI/agent context, mistaken arguments, automation errors, or prompt-induced misuse could destroy user assets or job history with little friction.

External Script Fetching

Low
Category
Supply Chain
Content
The CLI requires Python 3.10+ and uses `uv` for dependency management (auto-installs the `openai` SDK):
```bash
# Install uv if not present
curl -LsSf https://astral.sh/uv/install.sh | sh
```

## Pricing Guide
Confidence
90% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
The CLI requires Python 3.10+ and uses `uv` for dependency management (auto-installs the `openai` SDK):
```bash
# Install uv if not present
curl -LsSf https://astral.sh/uv/install.sh | sh
```

## Pricing Guide
Confidence
97% confidence
Finding
| sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal