ClawHub

Video Agent (Deprecated)

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate but deprecated HeyGen video skill; it uses your HeyGen account and can send selected media to HeyGen, but I found no hidden or malicious behavior.

Prefer the newer create-video or avatar-video skills when possible. Install this legacy skill only if you are comfortable giving an agent HeyGen API access; review uploads, prompts, portraits, customer data, webhook URLs, and delete actions before use, and verify webhook signatures in any real deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The 'Uploading from URL' example expands the skill from simple asset upload into arbitrary remote fetching, which can be abused to retrieve attacker-chosen content and then relay it to HeyGen. In an agent context, this creates SSRF-like and data handling risk because the code only checks for the HTTPS scheme and does not restrict hosts, private address space, redirects, size, or content type.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file presents deprecated v1/v2 HeyGen workflows as the main approach even though the skill metadata says this legacy skill is deprecated in favor of v3 skills. This can mislead users into building against obsolete endpoints, increasing the chance of broken integrations, unsupported behavior, and accidental reliance on legacy APIs that may have weaker validation or reduced support.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The document labels the sample as production-ready but references undefined helpers and uses a polling signature inconsistent with earlier examples, so consumers may copy code that fails at runtime. In security-sensitive automation, nonfunctional examples can cause developers to add unsafe ad hoc fixes, bypass validation, or ship brittle error handling around external API calls.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The primary Express example acknowledges and processes webhook payloads without any authentication or signature verification, which can lead readers to implement a publicly exposed endpoint that trusts attacker-supplied events. An attacker could forge success or failure notifications, trigger downstream business logic, or poison internal state if the example is copied as-is.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The URL-upload workflow fails to warn that external content is first fetched by the client and then re-uploaded to HeyGen, creating an unexpected data transfer chain. In an agent setting, this increases the chance of users unintentionally causing third-party or sensitive content to be copied across systems without proper review.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation shows image and video background examples that reference third-party URLs without warning users that HeyGen or related infrastructure will fetch those remote assets. This can leak user IPs, request metadata, and potentially sensitive asset URLs to external hosts, creating a privacy and supply-chain risk even though the examples appear instructional rather than malicious.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document instructs users to upload portrait photos, generate talking avatars, and submit speech scripts to third-party APIs without any privacy, consent, or biometric-data handling warning. Because facial images and speech content are sensitive personal data, omitting consent and disclosure guidance can lead to unauthorized processing, policy violations, or unsafe use in impersonation/deepfake scenarios.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes DELETE operations for photo avatars and avatar groups without recommending confirmation, preview, or recovery expectations. In operational use, this increases the risk of accidental irreversible deletion of user assets, especially when these examples are copied directly into automation or agent workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples show batch personalization using recipient names, emails, companies, and custom messages, then sending derived personalized content to HeyGen's external API, but they do not warn that this may disclose personal or customer data to a third-party service. In documentation intended for broad reuse, omission of privacy, consent, and data-sharing guidance can lead users to transmit regulated or sensitive data without appropriate review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to send prompts, optional uploaded asset references, and webhook callback URLs to a third-party HeyGen API without clearly warning that potentially sensitive user content will leave the local/trusted environment. In a skill context, this can cause inadvertent disclosure of confidential prompts, files, metadata, or internal webhook endpoints because users may assume the operation is local or privacy-neutral.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to send scripts, audio URLs, and callback URLs to HeyGen's external API without clearly warning that potentially sensitive content will leave the local environment. In an agent skill context, users may unknowingly transmit confidential prompts, internal media, or internal webhook endpoints to a third party.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation presents full webhook receiver implementations that accept and process incoming requests long before mentioning signature verification. This sequencing is dangerous because developers often copy the first working example they see, resulting in production handlers that trust unauthenticated external input.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal