ClawHub

Tencent MPS Intl.

Security checks across malware telemetry and agentic risk

Overview

This skill mostly wraps Tencent Cloud media tools, but it needs review because it explicitly supports bypassing duplicate-content detection and has broad credential and cloud-upload behavior.

Install only after review. Use least-privilege Tencent Cloud credentials and a dedicated COS bucket, avoid command-line secrets, and assume local media may be uploaded to Tencent Cloud. Do not use the dedupe feature to evade platform rules or repost detection, and only use voice cloning, face swap, watermark removal, or subtitle removal when you have the rights and consent to do so.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (55)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document explicitly states that the function modifies video frames to bypass platform duplicate-content detection, which is an evasion objective rather than a neutral media-processing use. In the context of an agent skill, this enables users to automate circumvention of platform integrity controls and facilitates deceptive reposting or abuse at scale.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file uses benign-sounding terminology like "Video Deduplication" while describing a mechanism for evading duplicate-detection systems. This mismatch obscures the true purpose of the capability, increasing the risk that harmful behavior is normalized, misrouted, or silently triggered by agents and users.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documentation makes a safety-relevant claim that the tool is local and does not call MPS API, but elsewhere states that local files may be auto-uploaded to COS and then opened via web preview. That mismatch can mislead users into providing sensitive local media under the assumption no network transfer occurs, creating an information disclosure and consent problem even if no MPS billing is incurred.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Describing the tool as local while later documenting remote upload behavior is a materially misleading trust boundary issue. In an agent skill context, users may rely on the 'local' label when deciding whether to expose proprietary videos/images, so the inconsistency increases the chance of unintended exfiltration to cloud storage or remote preview surfaces.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script goes beyond reading explicitly provided environment variables and will automatically invoke a helper to load Tencent Cloud credentials from system files such as /etc/environment or shell profiles. That broadens credential access beyond the immediate task flow and can cause the skill to silently consume higher-privilege credentials than the caller intended, especially in shared or agent-managed environments.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
When --download-dir is provided, the script automatically downloads remote URLs returned by the service and writes them to local disk. This expands the skill from cloud task orchestration into network-to-disk file retrieval, which can be abused if returned URLs are unexpected, attacker-influenced, or point to large/untrusted content; the risk is higher because the behavior is only lightly signposted.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The docstring explicitly states the script modifies video frames to bypass platform duplicate-content detection, which is evasive behavior rather than ordinary media processing. In an agent skill context, this enables policy circumvention and abuse of third-party content platforms, making the feature itself unsafe by design.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file presents itself as a normal deduplication script but its own documentation says it is for bypassing platform duplicate-content detection. This mismatch is a strong indicator of deceptive framing that can hide abusive capability from reviewers and downstream users.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script silently changes a local-file comparison workflow into a remote data-transfer workflow by automatically uploading local files to COS. This can expose sensitive media to cloud storage without explicit confirmation, which is especially risky in a tool that users may reasonably expect to operate locally when generating an HTML comparison page.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script's stated purpose is task-status querying, but it also generates and prints COS pre-signed download URLs for output media. That expands the capability from metadata inspection to temporary content access, which can expose processed media to anyone who can view logs or terminal output.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
When credentials are not present, the script attempts to auto-load them from system profile/environment files, broadening secret access beyond what users may expect from a simple query tool. In an agent or automation context, this can unintentionally pull sensitive cloud credentials from host configuration and use them without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The loader searches for credentials in broad, user-controlled locations including parent-directory .env files, ~/.env, ~/.bashrc, and ~/.profile rather than restricting itself to the skill's own configuration scope. In an agent/runtime context, this can cause the skill to silently ingest secrets from unrelated projects or user shell files, expanding the trust boundary and enabling accidental secret capture or confused-deputy behavior.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This file is presented as a task polling utility, but it also contains functions that upload local files to COS, download task outputs to disk, and generate HTML reports. That scope expansion is security-relevant because callers may import or trust the module for read-only status checks while it also enables network egress and local file writes, increasing the chance of unintended side effects in agent workflows.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module docstring claims it only provides poll_video_task() and poll_image_task(), but the implementation also performs upload, download, and HTML generation. This mismatch can mislead reviewers or agents into granting the file more trust than it deserves, causing security-sensitive behavior to be overlooked during integration.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The description advertises a very broad set of high-impact media manipulation and storage capabilities but provides almost no concrete activation constraints, user-intent checks, or scope boundaries. This increases the risk of over-triggering, ambiguous routing, and misuse of sensitive functions such as upload/download, face-swap, watermark removal, and subtitle removal when user requests are underspecified.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly supports `--local-file` uploads and remote `--url` inputs for cloud-based media analysis, but it does not warn users that submitted files/URLs and their contents are transmitted to Tencent Cloud services for processing. This can lead users to unknowingly send sensitive audio/video data, creating privacy, confidentiality, and compliance risks, especially for recordings containing personal data, secrets, or regulated content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly supports passing SecretId and SecretKey via command-line flags, which commonly exposes credentials through shell history, process listings, CI logs, and debugging output. In a skill context that may generate commands for users or agents to run, this increases the chance of accidental credential disclosure even if the feature is intended for convenience.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The verbose mode is documented to print storage metadata including bucket, region, object key, URL, and related details without any warning about sensitivity. While not always secret, these values can reveal internal storage structure and temporary or directly accessible object locations, especially if logs are retained or shared.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation advertises an option to show full file URLs without cautioning that URLs may expose object names, storage layout, or even directly retrievable resources depending on bucket configuration. In an agent skill, surfaced URLs may be logged, echoed to users, or propagated into downstream systems, increasing unintended disclosure risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad natural-language terms that can match ordinary user requests and automatically route them to an evasion-focused tool. Because the underlying capability is high-risk, loose invocation criteria materially increase the chance of accidental or unjustified activation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation describes a capability to bypass duplicate-content detection without any warning that this is a high-risk, potentially disallowed use. Omitting that warning makes misuse more likely and reduces the chance that an agent or operator will recognize the request as evasion behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly promotes voice cloning of real human voices but provides no warning about consent, authorization, impersonation, or abuse risks. In a user-facing agent skill, this omission can normalize unsafe use and materially increases the chance of non-consensual cloning for fraud, harassment, or identity misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file instructs users to submit local media files, remote URLs, and COS locations to cloud APIs, but does not clearly warn that this content is transmitted to external services and may be stored or logged remotely. This can lead users to upload sensitive audio/video data without informed consent, creating privacy, confidentiality, and compliance exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly supports uploading local files to COS and optionally downloading generated outputs, but it does not warn users that media will be transferred to and stored in cloud storage. For a media-processing skill handling potentially sensitive videos, this omission can lead users to unintentionally expose personal, biometric, or proprietary content to remote services and retained outputs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The callback URL parameter allows task completion metadata or result references to be sent to an external endpoint, but the documentation does not warn that this can disclose processing details to third-party infrastructure. In this skill's context, outputs may concern erased watermarks, subtitles, faces, or license plates, making silent exfiltration of task/result metadata more sensitive than in a generic batch job.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal