ClawHub

Ai Director

Security checks across malware telemetry and agentic risk

Overview

The skill fits its video-generation purpose, but it needs Review because it can spend paid credits, stores API keys in plaintext, sends content to external AI services, and has a confirmed prompt-to-shell command injection path.

Review carefully before installing. Use it only with accounts where paid X2C credit usage is acceptable, avoid sensitive prompts or private video URLs unless you are comfortable sending them to X2C and Gemini, protect or rotate stored API keys, avoid auto-iterate until the shell command construction is fixed, and manually confirm costs and deletes before running generation or character-management commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill introduces a second external AI provider (Gemini) beyond the main X2C workflow, which expands data exposure and trust boundaries without being clearly reflected in the primary manifest scope. User prompts, video URLs, and possibly creative or sensitive content could be sent to another vendor unexpectedly, creating privacy, compliance, and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Automatic evaluate-and-regenerate loops can repeatedly invoke billable generation and external evaluation services, multiplying costs and data transfers without strong user confirmation at each step. In this skill context, which already integrates commercial billing, unattended iteration is especially dangerous because it can rapidly consume credits or trigger repeated account activity beyond what a user intended.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The guide claims scripts are automatically uploaded to Feishu and a link is returned, but the rest of the document only describes local storage and project files. This mismatch creates a security-relevant trust boundary problem: users may disclose sensitive story, commercial, or client material believing it will be handled one way while the implementation behaves differently or incompletely documents data flows.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The account-management script invokes an external sync script via child_process after updating credentials, creating an unexpected execution path in a component whose stated role is authentication and account binding. Because the sync target is external to this file and runs with inherited stdio, any tampering with that script or its path can turn account-binding into arbitrary local code execution and credential propagation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script does more than manage X2C authentication: it copies API keys and user identifiers into a unified account store and syncs them to all skills. That broad credential sharing expands the trust boundary far beyond the stated purpose, so compromise or misuse of any connected skill could expose or abuse the X2C credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs storage of per-user X2C credentials in local JSON files under predictable paths, but provides no safeguards such as file permissions, encryption, secret isolation, or warnings about sensitive data handling. In a multi-user environment, this raises the risk of credential theft, cross-user access, accidental backup exposure, or misuse of commercial accounts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented commands can bind accounts, unbind accounts, and trigger billable script/video generation, but the user-facing description does not consistently foreground the fact that these actions modify accounts or incur charges. In a billing-integrated media-production skill, weak cost/account warnings increase the chance of unauthorized, accidental, or socially engineered expensive operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document states generated content may be automatically uploaded to Feishu, but it does not provide clear notice about third-party transmission, privacy implications, or what content leaves the local environment. In a script-writing skill that may process proprietary plots, client campaigns, or personal material, undisclosed outbound transfer can cause confidentiality and compliance issues.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill says it automatically saves scripts locally, maintains project state, and stores version history, but does not warn users that content will persist on disk and in snapshots. This can expose sensitive drafts, commercial plans, or personal narratives to unintended local access, backup systems, or later retrieval beyond user expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This API reference documents operations that trigger paid generation, export, and retries, but it does not place an explicit warning at the point of use that these actions consume credits and can compound costs through polling/retry workflows. In an agent-facing document, that omission is risky because autonomous systems may execute the recommended path and retries by default, causing unintended charges on a connected billing account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This document provides a complete workflow for creating projects and triggering image/video generation on a commercial service, and it explicitly includes price totals and paid generation steps without any warning about billing side effects, authorization boundaries, or the need for explicit user consent. In an agent skill context, such operational guidance can enable unintended cost-incurring actions if an agent follows the documented flow automatically.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document contains multiple authenticated curl examples using an `x-auth` API key and project identifiers, but provides no guidance on secret handling, log hygiene, or the privacy implications of sending project/script/video data to a third-party service. In an agent skill focused on automated content generation and billing, this omission can lead users to hardcode credentials, expose them in transcripts or repositories, and unknowingly transmit sensitive project content externally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The verification flow persists the returned API key, user ID, and email to local configuration/account storage without clearly informing the user that long-lived credentials will be written to disk and then synchronized. Silent secret persistence increases the risk of accidental exposure through backups, shared machines, weak file permissions, or other local tooling that reads those files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The direct bind path accepts a supplied API key and immediately saves it persistently, then syncs it to other skills, again without an explicit warning or confirmation. In this skill context, that is especially risky because account-management code handles billing-related credentials, so silent propagation can enable unauthorized usage or lateral secret exposure across the broader skill ecosystem.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delete command issues a destructive API request immediately after receiving a character ID, with no interactive confirmation, dry-run, or force flag semantics. In a CLI tied to account-managed remote assets, this increases the chance of accidental deletion from mistyped IDs, copy/paste mistakes, or automation errors, causing irreversible loss of user-created characters.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The exported module APIs directly invoke billable remote actions such as script generation and video production using a stored API key, without any confirmation, dry-run mode, spend guard, or explicit warning to callers. In an agent-skill context, other components can call these exports non-interactively, which can trigger unintended charges and external data transmission from a simple function invocation.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
`runProducer()` builds a shell command string for `execSync()` and appends `command`, which is ultimately derived from the user-supplied prompt and optional style. Because the prompt is only wrapped in double quotes and not safely escaped or passed as structured arguments, shell metacharacters such as `"`, `$()`, backticks, or quote-breaking payloads can result in command injection and arbitrary OS command execution under the current user.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends the user-supplied video URL and optional original prompt/script to the Gemini API, which is a third-party external service. There is no consent flow, warning, redaction step, or policy enforcement to prevent accidental disclosure of sensitive prompts, private media locations, or internal URLs, so users may unknowingly leak confidential project data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal