ClawHub

wanjie-openclaw-video

Security checks across malware telemetry and agentic risk

Overview

This video skill has a real stated purpose, but it starts detached background jobs and uses local API credentials with weak scoping and controls.

Install only if you are comfortable with a local background worker reading an OpenClaw API key, sending prompts to Wanjie, logging prompts/results locally, and opening returned links automatically. Use a dedicated Wanjie key, avoid sensitive prompts, and check how to stop or remove any running worker or scheduled task before using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if platform.system() == 'Windows':
            os.startfile(url)
        elif platform.system() == 'Darwin':  # macOS
            subprocess.Popen(['open', url])
        else:  # Linux
            subprocess.Popen(['xdg-open', url])
    except Exception as e:
Confidence
87% confidence
Finding
subprocess.Popen(['open', url])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif platform.system() == 'Darwin':  # macOS
            subprocess.Popen(['open', url])
        else:  # Linux
            subprocess.Popen(['xdg-open', url])
    except Exception as e:
        log_exc("[!] 打开URL失败", e)
Confidence
87% confidence
Finding
subprocess.Popen(['xdg-open', url])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
importlib.import_module("requests")
    except ImportError:
        print("[*] 正在安装缺失依赖: requests...")
        subprocess.check_call([sys.executable, "-m", "pip", "install", "requests"])

def trigger_veo_generation(prompt, model="veo3.1-fast", seconds=8):
    # 在触发前确保环境就绪
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "requests"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if platform.system() == 'Windows':
        # 将输出重定向到 NUL 以防止 OpenClaw 报错
        with open(os.devnull, 'w') as devnull:
            subprocess.Popen(cmd, stdout=devnull, stderr=devnull, creationflags=subprocess.CREATE_NEW_PROCESS_GROUP)
    else:
        # Linux/macOS 上启动新进程
        with open(os.devnull, 'w') as devnull:
Confidence
91% confidence
Finding
subprocess.Popen(cmd, stdout=devnull, stderr=devnull, creationflags=subprocess.CREATE_NEW_PROCESS_GROUP)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
        # Linux/macOS 上启动新进程
        with open(os.devnull, 'w') as devnull:
            subprocess.Popen(cmd, stdout=devnull, stderr=devnull, start_new_session=True)
        
    return f"[*] 任务已提交: {prompt},请在聊天窗口耐心等待结果通知。"
Confidence
91% confidence
Finding
subprocess.Popen(cmd, stdout=devnull, stderr=devnull, start_new_session=True)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill spawns a detached local Python process based on chat input, which creates an execution boundary outside the agent's normal lifecycle and oversight. Although it avoids shell injection by passing arguments as an array, it still enables unmonitored background execution of local code triggered by a message, which is risky in a skill context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill adds a host-side capability to launch a browser or other registered application based on a URL extracted from remote API output. In this context, that makes the skill more dangerous because the remote service fully controls the returned content, so a video-generation workflow can unexpectedly trigger local navigation or protocol-handler execution on the analyst's machine.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The code silently reads an API key from `~/.openclaw/openclaw.json`, which is sensitive local credential material unrelated to the script's visible CLI inputs. This undeclared credential access increases risk because users may not expect the skill to harvest local secrets and then use them against a third-party endpoint.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill installs Python packages via pip during normal execution even though that behavior is not essential to safely handling user input. In a skill context, silent dependency installation is especially dangerous because it performs network-retrieved code changes on the host and expands the trust boundary at runtime.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill launches another script as a detached background process without clear justification and with output suppressed. In agent environments this pattern is more dangerous because it enables execution that persists beyond the visible request lifecycle and makes malicious or faulty behavior harder to detect.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that missing Python dependencies may be automatically detected and downloaded over the network, but it does not clearly warn users that installing the skill can trigger external downloads or modify the runtime environment. In an agent skill context, undocumented self-installation behavior increases supply-chain and environment-integrity risk, especially when users may assume the skill is passive documentation rather than a component that changes the host.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The documented trigger phrase is extremely broad and can be activated by ordinary conversational text such as '生成视频:...,' with no namespace, confirmation step, or scope boundary. In a chat-driven agent environment, that increases the chance of accidental invocation and unintended execution of automation that can spawn background processes, install dependencies, and write files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code launches a detached background subprocess without explicit user confirmation or any visible safety controls, and immediately relinquishes control with stdio ignored and unref(). This reduces auditability and makes it harder to detect failures, abuse, or unexpected resource consumption from repeated invocations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends the full user prompt to an external API without any warning, consent gate, or redaction. In a skill context, this is more dangerous because prompts may contain sensitive business data, personal information, or secrets that the user did not intend to disclose to an external service.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code automatically runs pip without warning or obtaining user confirmation. That means a simple function call can modify the host environment and execute installer code from external sources, which is an unsafe surprise side effect for a user-facing skill.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal