ClawHub

ZeeLin-video-analysis 视频拉片

Security checks across malware telemetry and agentic risk

Overview

The skill does the advertised video analysis, but it sends videos and an App-Key to a plaintext raw-IP service, so users should review it carefully before use.

Install only if you trust the Zeelin backend and are comfortable sending your videos and App-Key to that service. Avoid confidential, personal, or proprietary videos unless the publisher provides a verifiable HTTPS endpoint, clear retention/privacy terms, and explicit confirmation before upload and billing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The config routes uploaded video data to a remote service over plain HTTP, even though the skill is presented as local video upload/analysis. This creates a real risk of undisclosed off-device data transfer and exposes potentially sensitive video content and metadata to interception or tampering in transit because the connection is not protected by TLS.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough to match ordinary user language like '分析视频' or '视频处理', which can cause the skill to activate unexpectedly. In this skill, accidental activation is more sensitive because it can lead to uploading local video content and transmitting an App-Key to a third-party service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs uploading local video files and sending an App-Key to an external service without a clear user-facing warning about data transfer, retention, billing, or trust boundaries. Because videos may contain sensitive personal or proprietary material, silent transmission to a third party creates a significant confidentiality and consent risk.

Missing User Warnings

Low
Confidence
76% confidence
Finding
Requiring generation of an md file without warning the user that a local file will be created can lead to unexpected artifact creation on the user's system. The impact is limited, but it still affects user consent, filesystem hygiene, and could expose analysis results if written to an insecure location.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal