ClawHub
Back to skill

Security audit

Litmedia

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it needs Review because it handles account credentials and private media while under-disclosing uploads and leaking sensitive data to logs.

Install only if you trust the LitMedia service and publisher. Expect selected local images, audio, videos, prompts, and URLs to be sent to external services, generation to consume account credits, and credentials to remain on disk until logout succeeds. Avoid sensitive, confidential, biometric, or third-party likeness/voice media unless you have consent and are comfortable with external processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (27)

Tainted flow: 'OAUTH_BASE_URL' from os.environ.get (line 31, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
_delete_credentials()

        resp = requests.post(
            f"{OAUTH_BASE_URL}/oauth/api/device/init",
            json={
                "client_id": CLIENT_ID
Confidence
90% confidence
Finding
resp = requests.post( f"{OAUTH_BASE_URL}/oauth/api/device/init", json={ "client_id": CLIENT_ID }, headers={"Monimaster-Device-Ty

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises and documents capabilities to read/write local files, access environment variables, invoke Python scripts, and make network requests, yet it declares no permissions. This creates a transparency and consent problem: users and hosting platforms cannot accurately assess or constrain what the skill can access, especially because it handles authentication tokens, uploads local media, and stores credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The public description materially understates what the skill does: it performs OAuth login/account switching, stores local credentials, reads usage/balance data, uploads user media, and includes voice/avatar/character-replacement workflows. This mismatch can mislead users into granting access or providing sensitive media without understanding the real scope of collection, persistence, and external transfer.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The authentication helper derives a persistent client identifier from username and system characteristics unrelated to the skill's stated media-generation purpose. This creates a device fingerprint that can be used for tracking or correlation across sessions, which is privacy-invasive and unnecessary for a normal OAuth device flow unless explicitly disclosed and justified.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The logout path does more than remove local credentials: it conditionally performs a remote device unbind operation before deleting the credential file. This is security-relevant behavior that users would not expect from a local logout, and it can trigger account/device state changes on the remote service without clear disclosure.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The CLI help text says logout removes saved credentials, but the implementation may first attempt a remote unbind and then leave local credentials intact if that network call fails. This mismatch is dangerous because users may believe they are logged out while valid local credentials remain on disk.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
`get_video_duration` accepts arbitrary HTTP/HTTPS URLs, downloads the remote resource to a local temp file, and then inspects it. In an agent context, this creates an SSRF-style network primitive and can also expose the host to untrusted media parsing of attacker-controlled content, which is more serious than the docstring suggests.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README encourages users to 'just tell the AI what you need' and presents the skill as universally applicable without clear invocation boundaries, approval requirements, or safety constraints. In an agent environment, this kind of broad natural-language activation guidance can cause the skill to be selected for loosely related prompts and trigger high-impact media actions such as voice cloning, avatar generation, and content transformation without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The statement that users can 'freely combine' capabilities into 'any workflow' and that the AI will 'figure out how to make it happen' removes practical constraints on activation and execution. In this skill's context, the risk is elevated because the available functions include identity- and media-sensitive operations like voice cloning, talking avatars, and style mimicry, which could be invoked from ambiguous requests or chained into unintended automated workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages uploading photos, audio, and voice-cloning inputs but does not clearly warn about the sensitivity of biometric and personal media. In this context, omission is risky because users may provide face images, voice samples, and personal videos without informed consent regarding upload, retention, impersonation risk, or misuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly encourages supplying reference images via URL or local file paths but does not warn users that those images may be uploaded to external AI services for processing. In a media-generation skill, users are likely to provide personal, proprietary, or sensitive images, so omission of a privacy/data-handling warning can lead to unintended disclosure of confidential content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `status` command output includes personally identifiable information and a partially masked API key, and the surrounding guidance does not require explicit user consent or a warning before displaying it. In an agent setting, echoing this output into chat, logs, screenshots, or shared terminals can expose account metadata and sensitive authentication material beyond what is necessary for routine status checks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation shows local file paths for `--image` and `--audio` and even notes that local images are auto-uploaded, but it does not clearly warn users that supplying local media will transmit potentially sensitive biometric and voice data to a remote third-party service. In this context, that omission is security-relevant because users may reasonably assume a local transformation workflow when invoking a local Python script, leading to unintended disclosure of personal or regulated content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation encourages users to pass local file paths, URLs, prompts, images, audio, and videos into a generation workflow but does not warn that this data may be uploaded to an external service for processing. This creates a real privacy and data-handling risk because users may unknowingly transmit sensitive local media, proprietary prompts, or private URLs to a third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly supports local file paths and remote URLs for images and videos but does not warn users that these assets may be uploaded to an external third-party video-processing service. In this skill context, users are likely to provide personal media, making the omission materially risky because it can lead to unintended disclosure of sensitive or copyrighted content without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
For image_edit tasks, local file paths are automatically passed to resolve_local_file(), which may upload user-provided local images to the remote LitMedia service. The CLI help mentions local paths are supported, but there is no explicit consent prompt, transmission warning, or trust boundary notice before data leaves the local machine, creating a privacy and data-handling risk for sensitive images.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints fingerprint source data such as username and system/platform details during client ID generation. This unnecessarily exposes sensitive host-identifying information to stdout, shell history capture, logs, CI output, or other monitoring systems.

Missing User Warnings

High
Confidence
98% confidence
Finding
The polling code prints the full OAuth token/status response, which may contain access tokens, API keys, account identifiers, or other sensitive auth material. Exposing credential-bearing responses to stdout can leak secrets into terminals, process capture systems, or logs, enabling account compromise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The device-init response is printed verbatim and may expose device codes, verification URLs, token endpoints, or session metadata. Those values can be abused to interfere with the authorization process or disclose internal service details to unintended observers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The helper fetches an arbitrary URL and writes the full remote response to a local temporary file with no allowlisting, size limits, timeout, or restriction on internal addresses. In practice this creates SSRF and resource-exhaustion risk: an attacker-controlled URL could make the host contact internal services or download very large content to disk/memory, and the media parser is then exposed to untrusted file input.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function repeats the same unsafe pattern by downloading attacker-controlled remote media to a temp file and then parsing it locally. That enables SSRF to internal network resources and denial-of-service via oversized or slow responses, while also increasing exposure to parser bugs in the media inspection library when handling untrusted files.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code prints the full credential-response body from the upload token endpoint, which likely contains temporary OSS STS credentials such as AccessKeyId, AccessKeySecret, and SecurityToken. In an agent skill context, stdout/stderr is often captured in logs, consoles, or orchestration systems, so these secrets could be exposed to operators, other tenants, or downstream log processors and then abused to upload, overwrite, or read objects within the permitted scope.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
`cmd_run` prints the full request body to stderr unconditionally once, even before checking `--quiet`, and the body includes prompts, file references, and potentially sensitive media identifiers. In agent or hosted environments, stderr is often centrally logged, so this can leak user data, internal URLs, or file IDs to logs and operators without consent.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
alibabacloud-oss-v2==1.2.4
pymediainfo==7.0.1
Confidence
96% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=1.0.0
alibabacloud-oss-v2==1.2.4
pymediainfo==7.0.1
Confidence
94% confidence
Finding
python-dotenv>=1.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.