ClawHub
Back to skill

Security audit

Create Video

Security checks across malware telemetry and agentic risk

Overview

This HeyGen video skill mostly fits its purpose, but it needs Review because it grants broad HeyGen account authority, including deletion, and documents data-upload and local-storage patterns without strong safeguards.

Install only if you are comfortable giving the agent a HeyGen API key with account-level video access. Confirm any deletion or credit-consuming generation request, avoid using the wildcard HeyGen tools beyond the exact task, and upload or reference only media and prompts you intend to share with HeyGen. Treat webhook and URL-import examples as templates that need hardening before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a video-creation skill, but its documented workflow also grants account-enumeration and deletion operations. This broadens the operational scope beyond the user-facing purpose, increasing the chance an agent may perform unrelated or harmful actions on existing account assets.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Deletion capability is not justified by the stated purpose of creating videos from prompts. Including destructive operations in a creation-focused skill creates an unnecessary path for accidental or prompt-induced deletion of user assets.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented uploadFromUrl helper expands the skill from uploading user-provided local assets into fetching arbitrary remote content and re-uploading it with the platform's credentials. That creates an SSRF-like primitive and data relay capability: an agent could be induced to contact attacker-chosen URLs, access internal or sensitive network resources reachable from the runtime, and exfiltrate the retrieved content to HeyGen.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The resumable workflow persists user script content plus avatar and voice metadata to local files without any minimization, encryption, retention policy, or privacy warning. In agent environments, these files may be readable by other processes, users, or later tasks, creating unintended disclosure of potentially sensitive prompt/script data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes destructive deletion functionality without any warning, confirmation, or user-consent requirement. In an agent context, this materially increases the risk of accidental or socially engineered destructive actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file encourages uploading local files and sending an API key to a third-party service without any warning about data disclosure, retention, or suitability of sensitive content. In an agent setting, that omission increases the risk that users or downstream tools will transmit confidential files, credentials embedded in media, or regulated data without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to send prompts, optional uploaded assets, and callback metadata to a third-party service without any warning that this may disclose sensitive data outside the local environment. In a skill context, users may unknowingly include proprietary content, internal URLs, or personal data in prompts/files, so the omission materially increases privacy and data-handling risk.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The guidance explicitly writes user-provided script content to pending-video.json but provides no warning about privacy, sensitivity, or local data retention. Even if intended for convenience, this can cause inadvertent storage of proprietary, personal, or regulated content in plaintext on disk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The initial Express and Flask webhook examples accept and begin processing untrusted POST bodies before demonstrating any authenticity verification. In practice, readers often copy the first example they see, so this documentation can lead developers to deploy webhook endpoints that are vulnerable to forged requests, replayed events, and business-logic abuse.

External Transmission

Medium
Category
Data Exfiltration
Content
const buffer = Buffer.from(await sourceResponse.arrayBuffer());

  // 2. Upload directly to HeyGen
  const response = await fetch("https://upload.heygen.com/v1/asset", {
    method: "POST",
    headers: {
      "X-Api-Key": process.env.HEYGEN_API_KEY!,
Confidence
93% confidence
Finding
fetch("https://upload.heygen.com/v1/asset", { method: "POST"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal