ClawHub

NAIPAO SKILL

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a product-video scripting helper with some localization and consistency issues, but no evidence of hidden code, credential access, persistence, or malicious behavior.

This skill is reasonable to install if you want Chinese-oriented ecommerce video scripts and controlled video handoff. Before using it for other languages or markets, review the hardcoded Chinese prompts and correct the one retry option that allows text overlays despite the skill's no-text policy.

SkillSpector (4)

By NVIDIA

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file establishes a strict no-text policy throughout the handoff rules, but the regeneration guidance later suggests using "more restrained text overlay," which directly contradicts those safeguards. This inconsistency can cause downstream agents or tools to reintroduce subtitles or promotional overlays that were explicitly forbidden, leading to policy drift, noncompliant outputs, and unintended disclosure or misleading on-screen claims.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Hard-coding a required Chinese-language handoff prompt without checking the user's selected language can cause the system to send instructions in an unintended locale. In a multi-language workflow, this may degrade model behavior, produce user-misaligned content, and create compliance or quality issues when prompts are forwarded to downstream tools expecting another language.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The required constraint lines are fixed in Chinese and therefore may override or ignore the user's language preference during prompt construction. This can cause downstream generation tools to receive mixed-language or unintended-language instructions, increasing the chance of incorrect output, reduced controllability, and policy mismatches across localized campaigns.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The TVC workflow requires a fixed Chinese-language generation target even though TVC generation may be used in other languages or markets. This creates a locale-control weakness where downstream prompts can diverge from user intent, reducing reliability and potentially causing the wrong market-facing creative to be generated.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal