ClawHub

wanjie-openclaw-video

Security checks across malware telemetry and agentic risk

Overview

This video skill mostly matches its stated purpose, but it needs review because it uses local API keys, detached background execution, automatic link opening, and poorly scoped persistence/dependency behavior.

Review before installing. Use it only if you intend to send video prompts to Wanjie and have confirmed that the first API key in ~/.openclaw/openclaw.json is the intended Wanjie key. Be aware that it may run detached background jobs, may open returned links automatically, may write logs/result links on disk, and its documentation claims scheduled monitoring without clear disable or uninstall steps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if platform.system() == 'Windows':
        os.startfile(url)
    elif platform.system() == 'Darwin':  # macOS
        subprocess.Popen(['open', url])
    else:  # Linux
        subprocess.Popen(['xdg-open', url])
Confidence
92% confidence
Finding
subprocess.Popen(['open', url])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif platform.system() == 'Darwin':  # macOS
        subprocess.Popen(['open', url])
    else:  # Linux
        subprocess.Popen(['xdg-open', url])

def is_process_running(pid):
    """检查指定 PID 的进程是否在运行"""
Confidence
92% confidence
Finding
subprocess.Popen(['xdg-open', url])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
importlib.import_module("requests")
    except ImportError:
        print("[*] 正在安装缺失依赖: requests...")
        subprocess.check_call([sys.executable, "-m", "pip", "install", "requests"])

def trigger_veo_generation(prompt, model="veo3.1-fast", seconds=8):
    # 在触发前确保环境就绪
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "requests"])

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script reads an API key from a local user configuration file without any visible disclosure, consent flow, or clear scoping to the current action. In an agent-skill context, silently harvesting local credentials increases risk because a user may not expect the skill to access secrets from their home directory and then use them for external requests.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill opens URLs via external OS handlers as part of normal execution, and those URLs are later sourced from remote model output. In this context that is an unjustified and dangerous side effect: a remote service effectively controls a local action on the user's machine, which can be abused for phishing, drive-by browser launches, or custom-protocol invocation.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill modifies the execution environment by installing Python packages during runtime, which is unsafe in a security-sensitive agent context. Even for a common package like requests, on-the-fly installation can introduce supply-chain exposure, unexpected privilege use, and non-reproducible behavior across runs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly tells users to ensure network connectivity so the skill can automatically download missing Python dependencies at runtime. This creates a supply-chain and environment-modification risk because code execution behavior depends on external package retrieval, but the documentation does not clearly warn about that behavior, pin versions, or describe trust boundaries.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation phrase "生成视频:[您的提示词]" is broad and underspecified, which can cause the skill to trigger on generic conversational text without clear user intent boundaries. In a skill that also launches background processing and automation, ambiguous triggering increases the chance of unintended execution and surprise actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation describes persistent background monitoring every 5 minutes, automatic dependency installation, log/result syncing, and installation of a Windows scheduled task, but does not present these as prominent user warnings requiring informed consent. Persistence plus scheduled execution materially increases security and privacy risk because users may unknowingly install software that continues running, modifies the host, and processes tasks outside the immediate chat interaction.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill launches an external Python process in the background based directly on user input, with no confirmation, no visible audit trail, and no supervision of the spawned task. Although `spawn` is used with argument separation rather than a shell, this still creates a security and safety risk because arbitrary users can trigger resource-consuming external execution and the detached process can continue outside the agent lifecycle.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code accesses a sensitive credential from a local config file without notifying the user in code or requiring explicit configuration for this script. In a skill setting, silent secret access is risky because it expands the skill's privilege surface and can surprise users who did not grant or understand that level of access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The package installation occurs automatically and silently from the standpoint of security control: the user is not asked to approve an environment change before pip is invoked. In agent or hosted environments, this can violate least surprise and policy expectations while enabling unwanted code retrieval and execution from external sources.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.25.1
Confidence
96% confidence
Finding
requests>=2.25.1

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
requests

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal