ClawHub

TencentCloud Video AIGC Detection

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but local-video use can upload private files through an unspecified helper skill without a clear confirmation step.

Review before installing if you plan to scan local files. Use URL input where possible, approve any COS upload step explicitly, verify any separate upload skill before installation, and use least-privilege or temporary Tencent Cloud credentials for media you are comfortable sending to Tencent Cloud.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to upload a user-provided local video file to Tencent Cloud COS before analysis, but does not require an explicit user-facing consent or warning at the point of transfer. This can cause unintended exfiltration of sensitive local media, especially if users think analysis occurs locally or only against the moderation API URL endpoint.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to submit video URLs and optional callback endpoints to Tencent Cloud without warning that this transmits potentially sensitive content, URLs, and related metadata to a third-party service. In a security-sensitive agent skill, omission of this disclosure can lead to unintended exfiltration of private media, internal URLs, signed URLs, or callback destinations, especially if users assume analysis is local or do not understand the privacy implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal