ClawHub

wanjie-openclaw-video

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill appears purpose-aligned, but it uses broad local credentials, detached background execution, automatic link opening, and host persistence claims that users should review before installing.

Review before installing. Use a dedicated, limited API key if possible, avoid private or secret material in prompts, expect prompts and payload details to be written under model/scripts logs, verify whether any OpenClaw_Veo_Monitor scheduled task or background monitor is created, and disable or remove it if you do not want ongoing unattended execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if platform.system() == 'Windows':
            os.startfile(url)
        elif platform.system() == 'Darwin':  # macOS
            subprocess.Popen(['open', url])
        else:  # Linux
            subprocess.Popen(['xdg-open', url])
    except Exception as e:
Confidence
88% confidence
Finding
subprocess.Popen(['open', url])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif platform.system() == 'Darwin':  # macOS
            subprocess.Popen(['open', url])
        else:  # Linux
            subprocess.Popen(['xdg-open', url])
    except Exception as e:
        log_exc("[!] 打开URL失败", e)
Confidence
88% confidence
Finding
subprocess.Popen(['xdg-open', url])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
importlib.import_module("requests")
    except ImportError:
        print("[*] 正在安装缺失依赖: requests...")
        subprocess.check_call([sys.executable, "-m", "pip", "install", "requests"])

def trigger_veo_generation(prompt, model="veo3.1-fast", seconds=8):
    # 在触发前确保环境就绪
Confidence
94% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "requests"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if platform.system() == 'Windows':
        # 将输出重定向到 NUL 以防止 OpenClaw 报错
        with open(os.devnull, 'w') as devnull:
            subprocess.Popen(cmd, stdout=devnull, stderr=devnull, creationflags=subprocess.CREATE_NEW_PROCESS_GROUP)
    else:
        # Linux/macOS 上启动新进程
        with open(os.devnull, 'w') as devnull:
Confidence
88% confidence
Finding
subprocess.Popen(cmd, stdout=devnull, stderr=devnull, creationflags=subprocess.CREATE_NEW_PROCESS_GROUP)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        # Linux/macOS 上启动新进程
        with open(os.devnull, 'w') as devnull:
            subprocess.Popen(cmd, stdout=devnull, stderr=devnull, start_new_session=True)
        
    return f"[*] 任务已提交: {prompt},请在聊天窗口耐心等待结果通知。"
Confidence
88% confidence
Finding
subprocess.Popen(cmd, stdout=devnull, stderr=devnull, start_new_session=True)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The worker silently reads an API key from the user's local OpenClaw credential store and uses it for requests to an external endpoint. In an agent-skill context, undeclared credential access is sensitive because users may not expect this skill to inherit and spend credentials from another tool's configuration.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README explicitly states that missing Python dependencies may be automatically downloaded if the environment has network access, but it does not clearly warn users that the skill may initiate outbound network activity during setup or runtime. This creates a transparency and supply-chain risk because users may unknowingly allow external package retrieval in an automated agent environment.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase is described as a broad natural-language command without clear boundaries, which can cause unintended activation during normal conversation. In a skill that automatically launches background processing, broad interception increases the chance of accidental task execution and unexpected side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document states that a scheduled background monitor runs every five minutes and automatically processes tasks when idle, but this behavior is not presented with strong user-facing consent and warning language. Persistent autonomous execution changes the trust model of the skill and can surprise users, consume resources, or process data after the original interaction has ended.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill writes generated results to local files and synchronizes status through logs, but the documentation does not clearly explain what data is stored, where it is stored, or for how long. Even if the data is not highly sensitive by default, silent file and log creation can expose prompts, outputs, or operational metadata to other local users or processes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Creating a Windows Task Scheduler job for automated monitoring establishes persistence on the host, which is security-sensitive behavior that should be prominently disclosed and explicitly authorized. Even when intended for convenience, persistence mechanisms can be abused, are hard for users to notice, and materially increase the risk profile of the skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill launches a detached background Python process directly from user input without any confirmation, rate limiting, or lifecycle management. This is dangerous because an attacker or abusive user can repeatedly trigger long-running subprocesses, causing resource exhaustion, unmonitored execution, and loss of control over what continues running after the main handler exits.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
User prompt content is transmitted to a third-party remote API with no disclosure in the file and no indication of consent or redaction. In a skill setting, prompts may include sensitive data, making silent exfiltration to an external service a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads an API key from a local credential store without any disclosure or permission check. Even if the key is used only for the intended service, silently consuming stored credentials in an agent environment violates least surprise and can lead to unauthorized external actions or billing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically opens a returned URL via OS-specific launch mechanisms without warning the user first. Combined with the URL being extracted from untrusted remote output, this creates a strong drive-by interaction risk, including phishing, browser exploitation attempts, or invocation of unsafe protocol handlers.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.25.1
Confidence
95% confidence
Finding
requests>=2.25.1

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal