ClawHub

Full AI pipeline to create dark motivational TikTok/Reels videos using REAL video footage. Generates script (Claude), voiceover (ElevenLabs), searches real dark/cinematic video clips from Pexels API (no AI image generation), adds animated text overlays (MoviePy), color grading (FFmpeg), and exports final 1080x1920 MP4. Use this skill for: motivation video, dark

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed video-generation skill that uses Anthropic, ElevenLabs, Pexels, MoviePy, and FFmpeg for its stated purpose, with no evidence of hidden persistence, exfiltration, or destructive behavior.

Install only if you are comfortable using Anthropic, ElevenLabs, and Pexels for this workflow. Use a dedicated project folder, keep API keys out of source control, monitor provider usage or billing, avoid private business plans or personal data in topics/scripts, and only use voice cloning when you have explicit authorization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description advertises multiple third-party API calls and local file generation but omits an explicit warning that user-provided topics, generated text, and media requests are transmitted externally and that output files are written to disk. In an agent skill context, lack of disclosure increases the chance of unintended data sharing and surprising side effects.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The document advises using an English voice for Vietnamese content and suggests voice cloning for accent realism without requiring user opt-in or offering locale-aware selection. This can misrepresent language authenticity, create misleading or culturally inappropriate output, and potentially encourage biometric voice-use practices without clear consent safeguards.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends user-supplied topic, tone, and derived prompt content to Anthropic without any explicit privacy notice or consent flow. In an agent-skill context, that can expose sensitive user inputs to a third-party service unexpectedly, which is dangerous when users may assume local-only processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal