ClawHub

LH Video Gen

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real video-generation skill, but it gives custom TTS configuration a broad local shell-command surface that users should review before installing.

Install only if you are comfortable with a media tool that runs local executables. Do not let untrusted prompts, scripts, or agents choose --tts-command; use the default TTS integration or a command you wrote and inspected. Avoid processing untrusted Markdown until the template escaping is improved, because subtitle or visual text is inserted into rendered HTML/JavaScript.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
voice=shlex.quote(voice),
            rate=shlex.quote(rate),
        )
        result = subprocess.run(cmd_str, shell=True, capture_output=True, text=True)
    else:
        tts_path = _detect_tts()
        cmd = [
Confidence
99% confidence
Finding
result = subprocess.run(cmd_str, shell=True, capture_output=True, text=True)

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal