ClawHub

Jimeng Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a purpose-aligned Seedance/Volcengine video-generation helper, but users should understand that prompts and media may be sent to a remote API using their own API key.

Install this only if you are comfortable using Volcengine/Seedance for remote generation. Treat prompts, uploaded images, videos, and audio as data sent to a third-party provider, and avoid secrets, private personal data, or confidential business assets unless your organization approves that use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly documents sending user prompts and generated content to a third-party API endpoint, but it does not prominently disclose the privacy and data-handling implications to users. In a content-generation skill, prompts may contain sensitive business, personal, or copyrighted material, so omission of a clear external-transmission warning can lead to unintended data exposure.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrase at line 11 (e.g. a generic video-creation invocation) is broad enough that the skill may be selected for ordinary requests unrelated to this specific Jimeng/Volcengine capability. Because the skill requires high-privilege API credentials and can initiate external media-generation actions, overbroad activation increases the chance of unintended invocation, unnecessary credential use, and unexpected third-party API calls.

Vague Triggers

Low
Confidence
77% confidence
Finding
The manifest exposes several triggers but does not define scope constraints, disambiguation rules, or exclusions for when the skill should not run. In a multi-skill environment, this can cause ambiguous routing and accidental activation of a credentialed external-service skill for general video-related prompts, creating unnecessary operational and privacy risk.

External Transmission

Medium
Category
Data Exfiltration
Content
### 生成带声音的视频

```bash
curl -X POST "https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ${API_KEY}" \
  -d '{
Confidence
87% confidence
Finding
curl -X POST "https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${API_KEY}" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal