ClawHub
Back to skill

Security audit

Next Video Gen

Security checks across malware telemetry and agentic risk

Overview

This looks like a real cloud video-generation skill, but it needs Review because it handles a sensitive API key with weak guardrails and includes an overbroad authenticated request helper.

Install only if you are comfortable sending prompts and media URLs to Volcengine/Ark. Use a limited-scope API key, avoid private or regulated content, do not let the installer persist the key in shell startup files unless you accept plaintext storage, and prefer the fixed generation scripts over the generic HTTP helper.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
79% confidence
Finding
The documented behavior goes beyond simple remote generation: it includes local installation steps, dependency probing, possible shell profile modification to persist API keys, and automatic downloading/saving of generated files. These side effects expand the skill's access to the user's system and secrets; if implemented without strong consent and clear scoping, they can expose API credentials, alter the environment unexpectedly, or write files in ways the user did not anticipate.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer solicits a secret from stdin and can persist it into the user's shell startup file, modifying long-lived environment state beyond simply copying the skill. This expands the installer's capability surface and increases risk of credential exposure, accidental leakage through shell history/config backups, or unwanted persistence if the installer is run in an automated or privileged context.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This utility accepts an arbitrary URL from the command line and automatically attaches the DOUBAO_API_KEY as a Bearer token to every request. That means the script can be used as a generic authenticated exfiltration/proxy tool, not just for the stated video/image generation APIs, and an attacker who can influence the URL can cause secrets to be sent to an untrusted endpoint.

Context-Inappropriate Capability

Low
Confidence
74% confidence
Finding
Automatically invoking `open "$OUTPUT_DIR"` causes an unexpected local side effect in the user's desktop session. While low severity and aligned with a UX convenience goal, it can be disruptive and violates least surprise because simply generating media also triggers application/folder opening without explicit consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README clearly states the skill sends prompts and media to the Volcengine Ark API, but it does not explicitly warn users that their text, images, and videos are transmitted to a third-party service and may be retained or processed under that provider's policies. In a skill that handles potentially sensitive user media, omission of a privacy/data-transfer notice can cause unintended disclosure of confidential content.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README documents that generated files are saved automatically to ~/Videos/next-video-gen/, but it does not call out that running the skill creates local files on disk. While this is expected behavior for a media-generation tool, lack of an explicit notice can still surprise users, especially on shared systems or in environments with storage, privacy, or cleanup constraints.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently transmits the bearer token in an Authorization header without any user-facing disclosure, confirmation, or guardrails. In a skill context where scripts may be reused or invoked indirectly, this increases the chance that operators unknowingly send sensitive credentials to unintended destinations, especially because the URL is user-supplied.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends prompts and user-supplied media URLs to a remote Volcengine/Ark API, which may expose sensitive text, metadata, or private resource locations to a third party. In a generation skill this remote transfer is expected, but the lack of an explicit privacy/data-transfer warning increases the risk that users submit confidential content without understanding where it goes.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bin/cli.js:69