ClawHub

视频反向提示

Security checks across malware telemetry and agentic risk

Overview

This skill transparently sends user-selected videos or video URLs to NanoPhoto.AI for reverse-prompt analysis, with no hidden persistence or unrelated access found.

Install only if you intend to use NanoPhoto.AI for video analysis. Configure NANOPHOTO_API_KEY through secure skill settings, and only submit videos or URLs you are authorized to upload. Avoid confidential or sensitive media unless you accept NanoPhoto.AI processing, retention, and credit usage terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly instructs users to upload local video files or provide video URLs to an external service, but it lacks a clear user-facing privacy warning about third-party transmission and possible retention or processing of sensitive content. This can lead to unintentional disclosure of private or proprietary videos.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation describes uploading videos, URLs, and filenames to a third-party API but does not clearly warn users that their video content and associated metadata will leave the local environment and be transmitted to NanoPhoto.AI. In a skill that encourages local file upload and supports potentially sensitive media, omission of an explicit data-transfer/privacy notice can mislead users into exposing confidential or personal content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script base64-encodes and uploads the entire local MP4 file and filename to a third-party remote API, but it does not provide an explicit runtime warning, confirmation, or privacy notice before transmission. In a skill context, users may assume local analysis; sending full media content off-box can expose sensitive visuals, embedded metadata, or confidential filenames to an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal