ClawHub

Jimeng Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Volcengine Jimeng video-generation helper, but users should avoid sending sensitive prompts or images to the cloud service.

Install only if you are comfortable using Volcengine API credentials and sending the selected prompt plus first/last-frame images to Volcengine. Use non-sensitive media, watch for API charges, and prefer reviewing the returned download URL behavior before using it in a sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger list contains broad terms such as '视频生成' and related common phrases that could match ordinary user requests and cause unintended invocation of this skill. Accidental activation can lead to unexpected remote API use, transmission of user-provided images/prompts, and possible cost-incurring actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description explains how to use the video-generation API but does not warn users that prompts and image inputs may be sent to a third-party remote service. Without clear disclosure, users may unknowingly upload sensitive images or confidential text to an external provider, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends the user-provided prompt and image content to an external Volcano Engine API, but it does not provide an explicit consent or privacy warning at the point of transmission. In an agent skill context, users may assume local processing, so silently transmitting potentially sensitive text and images to a third party creates a real privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal