ClawHub

HappyHorse Video Generation and Editting

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its advertised job by sending user-selected prompts and media to Alibaba DashScope HappyHorse APIs for video generation and editing.

Install only if you are comfortable sending prompts, media URLs, and any local images or videos you provide to Alibaba DashScope for processing. Use a limited DashScope API key, avoid confidential or regulated media unless approved for that provider, and remember that generated video URLs and task IDs are temporary but may still expose content while valid.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares it requires an API key and demonstrates use of remote URLs and model APIs, which implies network access and use of sensitive environment data, but it does not declare permissions accordingly. This weakens transparency and consent: users and platform controls may underestimate what the skill can access or where data can be sent, increasing the risk of unintended data exposure or policy bypass.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill is built around remote video-generation and editing APIs, and the examples show user prompts, image URLs, and video URLs being submitted to Alibaba HappyHorse/ModelStudio for processing. Failing to clearly disclose this can mislead users into sharing sensitive media or prompts under the false impression that processing is local, creating privacy, compliance, and data-governance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to send prompts and externally hosted reference-image URLs to a third-party video generation API, but it does not warn that potentially sensitive content will be disclosed to an external provider. In this skill context, reference images may contain faces, personal photos, or proprietary visual assets, so the lack of a clear privacy/data-sharing notice can lead to unintended exposure of user data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Local files supplied by the user are automatically read, base64-encoded, and embedded into requests sent to a remote API, but the tool provides no explicit privacy or upload warning. In a skill context, users may reasonably believe they are just referencing local media, not transmitting the full file contents off-host, which creates a meaningful risk of accidental disclosure of sensitive images or videos.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal