ClawHub

seko video creation - All-in-one AI video creation by seko.sensetime.com

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Seko AI video-creation helper; it needs a Seko API key and downloads generated media, with some credential-storage and URL-download cautions.

Install only if you are comfortable giving this skill a Seko API key and letting it save project files, generated JSON, images, videos, and possibly a .env file in the workspace. Use a limited or revocable API key, avoid sharing the project directory with .env included, and review downloaded media URLs if you work in a sensitive network environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script passes user-controlled input directly to urllib.request.urlopen without restricting the scheme or destination, so it can fetch not only http/https URLs but also local or unexpected schemes supported by urllib in the runtime environment. This can allow reading local files or accessing internal resources if an attacker can influence the --url argument, which is unnecessary for a video-creation helper that should only retrieve remote images.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs collecting a user API key and storing it in a local .env file without warning about persistence, file permissions, accidental inclusion in backups, or later exfiltration by other tools. Persisting secrets unnecessarily increases the chance of credential leakage and long-term compromise of the user's third-party account.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal