ClawHub

Jimeng Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Volcengine Dreamina video-generation helper, with expected external API use and no evidence of hidden or destructive behavior.

Install only if you intend to send prompts and any referenced media to Volcengine for processing. Keep the Volcengine credentials file private, do not hardcode or log API keys, and avoid submitting secrets, regulated personal data, or confidential materials unless you have reviewed the provider’s data handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users or agents to send prompts and a bearer API key to a third-party service but does not disclose the external data transfer, privacy implications, or safe credential handling practices. In an agent skill context, this is risky because prompts may contain sensitive user data and the documentation normalizes direct use of long-lived credentials without guidance on scoping, storage, or redaction.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs users to send prompts and possibly images to a third-party video generation API, but it does not clearly disclose the privacy, retention, or content-sensitivity risks of uploading user-supplied material. Because the tool generates audio/video externally, users may unknowingly transmit sensitive personal, confidential, or regulated content to the provider.

External Transmission

Medium
Category
Data Exfiltration
Content
### 生成带声音的视频

```bash
curl -X POST "https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ${API_KEY}" \
  -d '{
Confidence
81% confidence
Finding
curl -X POST "https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${API_KEY}" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal