ClawHub

ASIN营销视频全自动流水线

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed automation for generating Amazon product videos using Google Sheets, Apify, Topview AI, and n8n, with no hidden or incompatible behavior found.

Install only if you are comfortable sending the sheet's ASIN and product data to Apify and Topview AI. Use least-privilege API keys and a service account shared only with the intended spreadsheet, avoid storing sensitive internal notes in processed columns, test on a copy of the sheet first, and enable scheduling only after confirming cost, quota, and update behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow automates transfer of product and workflow data between Google Sheets, Apify, Topview AI, and potentially callback endpoints, and it performs automated writes back into Sheets without any privacy, consent, retention, or third-party processing warning. Even if the intended data is product metadata, operators may include internal notes, account identifiers, or other sensitive business data in the sheet, creating unacknowledged external disclosure and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to create and download sensitive credentials such as Service Account JSON keys and API tokens without any guidance on secure storage, least privilege, or rotation. This increases the risk that users will leave secrets in insecure locations, commit them to source control, or share them improperly, enabling unauthorized access to Google Sheets, Apify, or Topview resources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow reads ASIN-linked spreadsheet data, enriches it via scraping, and then sends product content to third-party APIs without any visible consent, disclosure, minimization, or data-governance checks. While the data appears business-oriented rather than highly sensitive, undisclosed external transfer can still violate internal policy, vendor terms, or privacy expectations if sheet contents expand beyond intended fields.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal