UGC Campaign Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill appears to automate UGC video creation in a coherent way, with expected use of local files and generation services.

Before installing, confirm you are comfortable sending supplied product images, scripts, branding, and campaign materials to the configured generation providers, and check the created files under ~/clawd/ for anything you do not want retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to invoke multiple external generation tools using API keys and to write numerous files under a persistent output directory, but it provides no requirement to inform the user that product images, scripts, and branding assets may be transmitted to third-party services and stored locally. This creates a real privacy and transparency risk, especially if users supply proprietary product imagery, unpublished marketing materials, or sensitive brand assets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal