Back to skill

Security audit

Medeo Video

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill is mostly aligned with its purpose, but it has unsafe chat-token handling that could expose credentials in logs.

Install only if you are comfortable sending prompts, media, and generated videos to Medeo and chat platforms. Avoid Telegram attachment upload until the token-bearing URL logging is fixed, use least-privilege bot/app credentials, prefer environment variables or a secret manager, and clear the local medeo-video workspace if job history is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (18)

Tainted flow: 'token' from os.environ.get (line 1231, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
}), file=sys.stderr)
            sys.exit(1)
        _log(f"Fetching Telegram file info: {args.telegram_file_id}")
        r = requests.get(
            f"https://api.telegram.org/bot{token}/getFile",
            params={"file_id": args.telegram_file_id},
            timeout=(CONNECT_TIMEOUT, READ_TIMEOUT),
Confidence
90% confidence
Finding
r = requests.get( f"https://api.telegram.org/bot{token}/getFile", params={"file_id": args.telegram_file_id}, timeout=(CONNECT_TIMEOUT, READ_TIMEOUT),

Tainted flow: 'dl_url' from os.environ.get (line 1254, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
filename = f"tg_{args.telegram_file_id[:12]}.{extension}"
        dl_url = f"https://api.telegram.org/file/bot{token}/{file_path}"
        _log(f"Downloading Telegram file: {dl_url}")
        r2 = requests.get(dl_url, timeout=(CONNECT_TIMEOUT, 60))
        r2.raise_for_status()
        file_bytes = r2.content
        _log(f"Downloaded {len(file_bytes)} bytes from Telegram")
Confidence
95% confidence
Finding
r2 = requests.get(dl_url, timeout=(CONNECT_TIMEOUT, 60))

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The documentation explicitly instructs the agent to deliver generated videos over external IM channels, which expands the skill from content generation into outbound messaging. That creates a real capability increase: an agent that can message third-party recipients can exfiltrate generated or user-provided media, contact unintended recipients, or perform actions outside the declared scope, especially if downstream tooling auto-executes documented workflows.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file documents use of Telegram, Discord, Feishu, WhatsApp, local credential files, environment tokens, and local downloads to `/tmp`, all of which materially broaden the trust boundary beyond simple video generation. Even though it includes some good security hygiene, it still normalizes access to external messaging services and local secrets without clearly demonstrating necessity, increasing the risk of credential misuse, unintended data transfer, and leakage of generated or uploaded content.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script reads Feishu app credentials from the local OpenClaw config, giving the skill access to messaging credentials unrelated to the declared video-generation purpose. In this context, the mismatch between the manifest and the capability increases risk because the skill can silently authenticate to an external messaging platform and act on the user's behalf.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements Feishu video-message delivery, not video generation or recipe/workflow browsing as described by the skill metadata. Capability mismatch is dangerous because it can mislead users and reviewers, hiding outbound communication and credential use inside a seemingly unrelated skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill includes task-generation logic that instructs downstream workers to deliver generated media over Feishu, Telegram, or Discord. That is broader than the declared video-generation purpose and creates an unexpected cross-channel data movement capability, which can be abused to route content outside the original context or organizational controls.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill can fetch media from Telegram and Feishu using service tokens, expanding its scope from video generation into third-party chat content retrieval. In an agent setting, this materially increases data access and exfiltration risk because the tool can ingest content from external messaging platforms that users may not expect this skill to access.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README advertises very broad natural-language activation such as "make me a video about XX," which can overlap with ordinary conversation and cause the skill to trigger unintentionally. In an agent environment, ambiguous invocation increases the chance of accidental external API calls, asset uploads, and background job creation without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The usage section relies on generic conversational examples and does not define boundaries, disambiguation rules, or refusal cases. That makes it easier for an agent to interpret ordinary requests too broadly, especially when images or URLs are present, leading to unintended uploads or video-generation actions against the user's account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs operators to upload user-provided images/videos and to supply Telegram or Feishu access tokens, but it does not warn about consent, retention, sensitive-content handling, or safe credential practices. In an agent skill context, this omission can normalize sending third-party or private media to an external service and exposing tokens through CLI flags, logs, shell history, or transcripts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly instructs downloading a generated video to a local temporary path and then sending it to Feishu, but it provides no warning about external transmission, data handling, recipient validation, or consent. This creates a real risk of unintended data exfiltration, especially if generated videos contain sensitive user content or if the recipient identifier is misconfigured or attacker-controlled.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script accesses local Feishu credentials without any user-facing disclosure in the tool interface or manifest. Even if used for legitimate messaging, undisclosed credential access reduces transparency and can surprise users by enabling external actions under their account context.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Allowing a cover image to be supplied as a URL causes the script to fetch arbitrary external content server-side without explicit warning. In an agent/skill environment, this can expose internal network resources via SSRF or leak request metadata, making it more dangerous than a normal desktop utility.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
`config-init` writes the Medeo API key to `~/.openclaw/workspace/medeo-video/config.json` in plaintext without warning the user that a credential is being persisted locally. On multi-user systems, backups, endpoint telemetry, or compromised local accounts, this increases the chance of credential disclosure.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad, everyday phrases such as 'video of', 'video about', and 'AI video', which can cause the skill to activate in contexts where the user did not explicitly intend to invoke this third-party video-generation workflow. In this skill, unintended activation is more dangerous because the manifest also describes uploads, rendering, and multi-platform delivery, so accidental routing of prompts or media to external services could expose user data or initiate unwanted actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest advertises asset uploads and delivery to platforms like Feishu, Telegram, Discord, WhatsApp, and Signal but provides no user-facing warning that prompts, files, or generated videos may be transmitted to external services. In a media-generation skill, this omission is security-relevant because users may supply sensitive text, images, or attachments that are then sent off-platform without adequately informed consent.

Session Persistence

Medium
Category
Rogue Agent
Content
# 🎬 Medeo Video Generator

Generate AI-powered videos from text. Tell your AI assistant "make me a video about XX" and it will automatically create the video using the [Medeo](https://medeo.app) platform, sending you the result in a few minutes.

---
Confidence
77% confidence
Finding
create the video using the [Medeo](https://medeo.app) platform, sending you the result in a few minutes. --- ## Installation ### Option A: Install via OpenClaw (Recommended) Tell your AI assistant

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.