ClawHub

AI短视频工厂

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed short-video creation workflow with no executable installer, persistence, credential use, or hidden behavior found.

Install this if you want an agent workflow for automated short-video planning and production. Be aware that its activation terms are broad, so users should confirm they really want the video workflow before letting it search for assets, generate media, or run batch output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad everyday phrases such as '帮我做视频' and related generic video-creation language, which can match ordinary conversation rather than an explicit request to invoke this skill. This increases the chance of unintended activation, causing the agent to enter an automated workflow unexpectedly and potentially override user intent or route requests into inappropriate processing.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation context '用户提到做视频/生成视频/批量出视频/视频自动化' is overly broad and does not distinguish a casual mention of video work from a deliberate request to run this skill. In a multi-skill environment, this can lead to accidental invocation, misrouting, and execution of automated content-generation steps without sufficient user confirmation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The markdown trigger section includes generic terms like '做视频', which are common in normal discussion and likely to collide with unrelated user utterances. Because the skill performs multi-step automated generation, accidental activation has a meaningful operational impact and can confuse users or trigger unintended downstream actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal