ClawHub
Back to skill

Security audit

NPAI SKILL

Security checks across malware telemetry and agentic risk

Overview

This skill is a non-executable ecommerce video scripting helper with minor prompt-quality issues but no hidden data access, persistence, or unsafe automation.

Install this if you want help writing ecommerce product-video scripts and preparing prompts for video generation tools. Review the final handoff prompt before sending product images to any external video service, especially if you need a strict no-on-screen-text result or English-only prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The regeneration guidance says 'more restrained text overlay' even though the rest of the file repeatedly mandates no subtitles, captions, or generated on-screen text. This contradiction can cause downstream agents to reintroduce prohibited visual text, violating the declared policy and potentially producing noncompliant outputs for users who explicitly wanted no-text videos.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description includes very broad trigger phrases like 'product content ideas' and generic script requests across multiple platforms, which can cause the skill to activate on underspecified user queries. That can route users into a specialized workflow prematurely, creating incorrect tool selection, unintended media-generation follow-up paths, or context confusion when a more general copywriting or marketing skill would be safer.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.