ClawHub

Video Production

Security checks across malware telemetry and agentic risk

Overview

The skill’s video-generation workflow is mostly coherent, but it includes under-scoped background cron persistence and hardcoded external notifications that users should review before installing.

Install only if you are comfortable auditing and modifying it first. Remove or reconfigure the hardcoded phone number and local paths, avoid installing the cron watcher unless you explicitly need it, inspect your crontab before and after use, store API keys in a safer secret mechanism, and set retention/deletion rules for generated prompts, clips, logs, and reference assets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Tainted flow: 'image_url' from requests.post (line 47, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
image_url = data["data"][0]["url"]
            
            # Download image
            img_response = requests.get(image_url)
            img = Image.open(BytesIO(img_response.content))
            
            if filename is None:
Confidence
83% confidence
Finding
img_response = requests.get(image_url)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs use of shell commands, environment variables, file writes, networked API access, and cron persistence, yet declares no permissions. This undermines least-privilege controls and can cause operators or automated systems to trust and run a skill with materially broader capabilities than disclosed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a Veo-based video pipeline, but the behavior summary indicates additional undeclared actions: DALL-E image generation, iMessage notifications to a phone number, cron manipulation, and hardcoded local paths. Behavior outside the stated scope is dangerous because it hides side effects, expands the attack surface, and can enable unauthorized communications or persistence.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script sends an out-of-band iMessage notification to a hard-coded external phone number when generation completes. While status notifications can be operationally useful in a media pipeline, this exceeds a simple local retry/watch role and creates a data egress channel that could leak project state, file paths, or workflow activity to an unintended recipient if the number is wrong, compromised, or repurposed.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script edits the user's crontab to remove entries matching "quota_watcher", which means the skill is modifying scheduled task state on the host. Even though this is framed as cleanup, cron manipulation is a persistence-related capability outside core video assembly functionality and can accidentally remove unrelated jobs with matching text or normalize a pattern of self-managing persistence in user environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to configure external AI service API keys and use cloud generation platforms, but it does not warn that prompts, uploaded assets, voice-over material, or other project content may be transmitted to third-party services and retained under those providers' policies. In a video-production workflow, this omission can lead users to send proprietary footage, personal data, or confidential creative materials to external vendors without informed consent or appropriate safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation shows an API key export pattern with a realistic-looking secret format and gives no secret-handling guidance. This encourages unsafe credential practices such as storing plaintext secrets in shell startup files, increasing risk of accidental disclosure through logs, repos, screenshots, or shared environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill requires persistent logging of prompts, outputs, character attributes, and review outcomes without privacy or retention warnings. These artifacts can contain sensitive business data, personal traits, and reference media that may later be exposed to unauthorized users or reused beyond the original purpose.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide tells users to append a live Google API key to ~/.zshenv, which persistently stores a sensitive credential in a shell startup file without warning about local exposure, shell-history leakage, backups, or accidental commits of dotfiles. While this is common developer guidance, it increases the chance of long-term credential exposure and misuse if the workstation or home directory is compromised.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The script automatically opens the generated file via the platform opener without asking the user. In an agent or automation context, this can trigger unexpected application launches, leak activity to a GUI session, or open attacker-influenced output paths, which is undesirable behavior even if not a severe code-execution issue by itself.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The test function prints the first 20 characters of the API key to stdout, which exposes a sensitive secret fragment in logs, terminals, screenshots, or CI output. Even partial credential disclosure is dangerous because it leaks secret material unnecessarily and may aid token identification, correlation, or partial reconstruction, especially in shared developer or automation environments.

Ssd 3

Medium
Confidence
93% confidence
Finding
The instructions explicitly require indefinite retention of generation history and approved reference assets across campaigns. Long-lived cross-campaign stores increase the chance of privacy leakage, unauthorized reuse, model prompt disclosure, and cross-project data contamination over time.

Session Persistence

Medium
Category
Rogue Agent
Content
chmod +x scripts/quota_watcher.sh

# Add to crontab:
(crontab -l 2>/dev/null | grep -v quota_watcher; \
 echo "*/30 * * * * /path/to/quota_watcher.sh >> /tmp/quota_watcher.log 2>&1") | crontab -
```
Confidence
91% confidence
Finding
crontab -l

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal