ClawHub

Seedance2

Security checks across malware telemetry and agentic risk

Overview

This is a real video-generation helper, but it can upload local media and prompts to Volcengine ARK using your API key without a clear warning or confirmation step.

Install only if you are comfortable sending selected prompts, images, videos, and audio to Volcengine ARK. Use explicit ARK/Seedance commands, avoid sensitive local files, and consider adding a confirmation or preview step before any local file upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list includes broad phrases like 'generate video', 'AI video', and 'image to video', which are common user expressions and can cause the skill to activate in situations where the user did not intend to invoke this specific external-service workflow. Unintended activation is risky here because the skill can involve local file handling, API-key use, and network transmission to a third party.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly states that local media files are accepted and auto-base64 encoded, and that API keys are used to call an external ARK service, but it does not clearly warn users that local files and prompts may be transmitted off-device. This omission can lead to accidental disclosure of sensitive images, videos, audio, or metadata to a third-party service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The helper accepts arbitrary local file paths, reads the full file contents, base64-encodes them, and embeds them into requests sent to a remote video-generation API. While this is expected for image/video upload functionality, the CLI does not clearly warn users that local files are being transmitted off-host, which creates a real privacy and data-handling risk if sensitive files are supplied accidentally.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal