ClawHub

Yq Story Video Generator

Security checks across malware telemetry and agentic risk

Overview

This video-generation skill is mostly coherent, but it tells the agent to automatically install FFmpeg with system package managers, including sudo paths, without requiring explicit user approval.

Install only if you are comfortable with the agent potentially changing system software to add FFmpeg. Prefer reviewing or editing the skill so FFmpeg installation requires your explicit approval, and run it in a workspace where overwriting files under output/ is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill directs the agent to install FFmpeg automatically using system package managers, including privileged package installation paths. That exceeds the minimum scope of a content-generation skill and can modify the host system without explicit user approval, creating unnecessary supply-chain and system-integrity risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document says FFmpeg should be installed automatically when absent but does not require a clear warning or confirmation before changing system software. Silent dependency installation is risky because users may not expect package-manager activity or privilege prompts from a video-generation skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill is designed to run end-to-end and write multiple files under output/ without clearly warning that local directories and files will be created or overwritten. This can lead to unexpected filesystem modifications, especially if the agent runs in a shared or sensitive workspace.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs use of terminal commands and FFmpeg pipelines for scaling, concatenation, probing, and file manipulation, but it does not require a warning or confirmation before shell execution. In agent contexts, undisclosed terminal use increases the chance of unexpected host-side actions and makes command-injection mistakes more consequential.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal