ClawHub

TencentCloud Video Face Fusion

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised Tencent Cloud video face fusion, but it is high-impact because it can automatically upload face media and use cloud credentials without a confirmation step.

Install only if you are comfortable sending the selected face images and video material to Tencent Cloud under your own account. Use least-privileged Tencent Cloud credentials, avoid storing long-lived secrets in shell profiles when possible, keep the AI label enabled, run it in an isolated Python environment, and only process people’s faces with permission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import tencentcloud  # noqa: F401
    except ImportError:
        print("[INFO] tencentcloud-sdk-python not found. Installing...", file=sys.stderr)
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"],
            stdout=sys.stderr,
            stderr=sys.stderr,
Confidence
93% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"], stdout=sys.stderr, stderr=sys.stderr, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import tencentcloud  # noqa: F401
    except ImportError:
        print("[INFO] tencentcloud-sdk-python not found. Installing...", file=sys.stderr)
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"],
            stdout=sys.stderr,
            stderr=sys.stderr,
Confidence
93% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"], stdout=sys.stderr, stderr=sys.stderr, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import tencentcloud  # noqa: F401
    except ImportError:
        print("[INFO] tencentcloud-sdk-python not found. Installing...", file=sys.stderr)
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"],
            stdout=sys.stderr,
            stderr=sys.stderr,
Confidence
92% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"], stdout=sys.stderr, stderr=sys.stderr, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to access environment variables containing Tencent Cloud secrets and to execute local shell commands, yet no permissions are declared. This creates a governance and sandboxing gap: a host may grant broader capabilities than users expect, enabling secret use and command execution without explicit disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The public description frames the skill as simple face fusion between two faces for creative use, but the actual behavior includes cloud-submitted video face replacement, multi-face processing, polling, result retrieval, and use of API credentials. This mismatch can mislead reviewers and users about the sensitivity of biometric processing, external data transfer, and operational scope, reducing informed consent and oversight.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill installs a Python package at runtime, which is not necessary for core business logic execution if the environment is prepared correctly beforehand. This behavior creates a supply-chain and arbitrary code execution exposure because package installation runs untrusted setup/build logic from external repositories and modifies the host environment on demand.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script's ability to install packages at runtime is not necessary for its stated purpose of querying a Tencent Cloud face-fusion job. In a skill or agent setting, this permits unreviewed code retrieval and execution from an external package repository, increasing supply-chain exposure and making the skill more dangerous than its declared functionality suggests.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Installing packages at runtime is unrelated to the core job-submission function and introduces unnecessary supply-chain and environment-modification risk. In a security-sensitive or production environment, this behavior can unexpectedly alter the Python environment, download unpinned code from external repositories, and make execution non-reproducible.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly tells the agent to execute face-fusion automatically with 'zero interaction' once inputs are present, without requiring explicit user confirmation or warning that sensitive biometric data will be processed. Because face images are highly sensitive and the operation is effectively deepfake/video face-swap generation, this increases the risk of non-consensual processing, impersonation, and unsafe automation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation exposes a flag to disable the AI-generated content logo, making it easier to produce unlabeled synthetic face-swapped video. In the context of a face-fusion/deepfake skill, reducing provenance signals materially increases deception and misuse risk, especially for impersonation or misleading social content.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document instructs callers to submit face images and source videos to a remote cloud API, which involves biometric and potentially highly sensitive personal data. Because it provides no privacy notice, consent guidance, retention information, or handling constraints, integrators may deploy it in ways that violate user expectations, privacy law, or organizational data-governance requirements.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script sends user-provided face images and related media references to Tencent Cloud for processing without an explicit privacy notice, consent check, or clear disclosure that biometric data is being transmitted off-host. Because face images are highly sensitive personal data, silent remote upload materially increases privacy, compliance, and data-handling risk, especially in enterprise or regulated settings.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically installs a package without prior confirmation or a prominent warning, causing side effects beyond its advertised job-submission behavior. This can surprise users, modify host environments, and increase the risk of supply-chain compromise or policy violations in restricted systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal