ClawHub
Back to skill

Security audit

best-practices

Security checks across malware telemetry and agentic risk

Overview

This is a Remotion guidance skill with copyable examples; the main caution is that some examples contact remote services or upload selected audio for transcription.

Safe to install as a Remotion reference skill. Before copying the examples, prefer local assets for sensitive projects, use trusted or allowlisted remote URLs, keep API keys in environment variables, and do not send private or regulated audio to cloud transcription services without consent and approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example performs a network request to `props.dataUrl` without any warning, validation guidance, or trust-boundary discussion, which can encourage users to fetch attacker-controlled URLs derived from composition props. In build/render environments this can lead to unintended outbound requests, exposure of internal services via SSRF-style access, or transmission of sensitive props-derived context to third-party endpoints.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example uploads the full audio file content to a third-party cloud API for transcription but does not include any warning about privacy, consent, or data handling implications. Because audio often contains sensitive personal or confidential information, presenting this as a best-practice option without explicit disclosure can lead users to transmit regulated or private data off-device unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.