Security audit

Cclaw

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly purpose-aligned, but its video-editing workflow asks the agent to execute FFmpeg on user-supplied files without clear safety boundaries or confirmation.

Install only if you are comfortable reviewing each generated media action before it runs. Do not let it execute FFmpeg against important originals unless the agent shows the exact input path, output path, and command first, and prefer writing to new files in a controlled workspace. The publisher should remove local-path development artifacts and add explicit confirmation, non-overwrite defaults, and path/argument validation for video and poster generation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (19)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The HTML embeds a hard-coded absolute local filesystem path in an <img> source (file:///C:/Users/tiger/Desktop/狼人杀/狼人杀头像(1).jpg). This leaks the author's local username and directory structure, reduces portability, and can expose sensitive workstation details if the file is shared, rendered, or logged in other environments.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly says it will generate FFmpeg commands, execute them, and output files, but does not require a clear warning or confirmation before making tool-side system changes. In an agent setting, silent media processing can overwrite files, consume significant resources, or act on attacker-influenced paths and arguments if the natural-language script is interpreted too permissively.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger examples are so broad that ordinary user phrases like “来一段” or “创作” could unintentionally activate the skill's multi-step workflow. In context, this matters because the skill includes tool-execution branches for video editing and poster generation, so ambiguous activation increases the chance of the agent entering a privileged or stateful workflow the user did not clearly request.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to parse natural-language scripts, generate FFmpeg commands, and execute them, but provides no user-facing warning, consent step, path restrictions, or execution safety controls. In this skill's context, that is dangerous because FFmpeg operations can overwrite files, read arbitrary local media paths, create large outputs, or be abused through unsafe argument construction if natural-language inputs are translated directly into shell commands.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The video-editing command is triggered by a very generic phrase like '帮我剪辑视频' combined with natural-language parameters, which can overlap with ordinary user conversation and cause unintended invocation of FFmpeg-backed tooling. Because this skill performs file-based media operations, ambiguous routing increases the risk of accidental processing of local files or execution of higher-impact tool actions when the user did not explicitly intend to invoke the skill.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The poster-generation phrases are broad conversational requests such as '帮我生成一张脱口秀海报' or '做个B站封面', which are plausible in normal dialogue and may accidentally trigger canvas-design workflows. In a skill that can transform prior context into generated promotional assets, loose triggers can cause unintended use of user content, misrouting, or unwanted downstream tool execution.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The automatic follow-up behavior—after writing comedy content, the user can simply say '帮我生成一张海报' and the system will auto-extract information from prior content—is insufficiently constrained and creates a context-confusion risk. This is more dangerous in this skill because it explicitly chains content-generation to external poster tooling, so ambiguous follow-up text may unintentionally reuse prior conversation state, include sensitive or incorrect details, or trigger tool actions without clear user intent.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: The file includes an ethnicity/race-based humor example ("白宫是奴隶造的，所以严格来说是黑宫") without framing, caution, or guidance on handling protected characteristics responsibly. In a comedy-writing skill, such examples can normalize generating jokes about race and increase the chance that downstream users produce harmful or policy-violating content.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation guidance is overly broad: it says to prioritize this structure whenever user input involves Chinese-context jokes, dialog humor, or any content needing setup-and-payoff rhythm. That can cause the skill to trigger in many ordinary Chinese writing tasks outside its intended niche, leading to inappropriate routing, reduced response quality, or unexpected behavior. In this file, the content is comedic theory rather than code execution or data access, so the risk is primarily misactivation rather than direct security compromise.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are broad enough to match generic image-generation requests such as '帮我生成一张图', which can cause this recipe to activate outside its intended 'quote card' scope. That increases the chance of incorrect tool routing, unintended content transformation, or bypass of narrower workflow controls in a larger agent system.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly states that natural-language editing requests are converted into FFmpeg commands and then executed, but it does not mention any confirmation step, sandboxing, path restrictions, or warning that commands can modify files. In a skill that accepts user-driven media-editing instructions, this increases the risk of unsafe command construction, unintended file overwrite/deletion, or dangerous invocation patterns being treated as normal behavior.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The command triggers for writing tasks are very broad everyday phrases like '写/创作/帮我写…', which can be matched during normal conversation without a clear opt-in boundary. In an agentic system, ambiguous activation increases the chance the skill routes ordinary user text into this skill unexpectedly, causing unintended prompt/file reads or generation behavior.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The video-editing entry point is also expressed as common language ('帮我剪辑视频') plus free-form file path and script text, making accidental or overly broad activation plausible. Because this skill can drive FFmpeg operations on files, ambiguous routing has higher risk than pure text generation: it may trigger unintended processing of local user assets.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Poster-generation commands include broad phrases such as '帮我生成一张脱口秀海报 / 做个B站封面', which resemble common assistant requests and lack a strong boundary indicating that a tool-producing workflow will run. This can lead to unintended tool invocation or asset generation when the user meant to brainstorm rather than execute a design workflow.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The phrase '写完脱口秀/漫才后可直接说「帮我生成一张海报」' enables automatic chaining from prior content using a vague follow-up utterance. This increases the risk of context bleed and unintended extraction of prior conversation content into a generated artifact without an explicit review step.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The video tool section describes FFmpeg-driven editing, concatenation, subtitling, and transcoding on user-supplied paths but provides no warning about overwrite behavior, destructive edits, or output-path safety. In an agent environment, file-modifying capabilities without explicit safeguards can lead to accidental loss, corruption, or replacement of user media.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The activation guidance is overly broad: triggers like '中文语境段子', '对话式幽默', or content needing '铺垫-爆发节奏' can match many ordinary Chinese writing requests, causing the skill to activate outside its intended scope. In an agent setting, this can hijack unrelated user tasks, override more appropriate skills, and steer outputs toward this theory even when the user did not ask for comedy-specific structure.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are broad enough to match many generic image-generation requests, which can cause this skill to activate outside its intended comedy quote-card workflow. In an agent system with multiple skills, that increases the risk of incorrect tool routing, unintended content transformation, or bypass of more appropriate safeguards tied to other image or design flows.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly states that natural-language requests are converted into FFmpeg commands and then executed, but it does not document any safety boundaries, user confirmation, path restrictions, or warning that files may be modified or overwritten. In a skill that turns user input into shell-relevant command construction, this omission increases the risk of unsafe execution behavior, destructive file operations, and command/argument injection in downstream implementations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.