Web2Labs Studio

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Web2Labs video-editing integration, but it can upload local media, store an API key, delete projects, and run watcher-based automation, so users should enable it deliberately.

Install this only if you trust Web2Labs with the videos and metadata you process. Use `WEB2LABS_SPEND_POLICY=explicit` if you want approval before paid actions, avoid watcher/cron automation unless you want recurring processing, review any webhook URL before using it, and treat the saved API key in `~/.openclaw/openclaw.json` as a secret.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (30)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The manifest markets the skill as a video editing and delivery tool, but the declared toolset expands into analytics, referral, brand management, project management, deletion, and watch features that are not clearly disclosed in the user-facing description. This mismatch weakens informed consent and can enable broader data access or actions than a user would reasonably expect from the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: A referral feature is not naturally necessary for editing videos, generating captions, or delivering outputs, so its presence suggests scope expansion into growth, tracking, or promotional workflows. In a skill with network and filesystem permissions, unjustified extra capability increases the risk of collecting metadata, user identifiers, or engaging in actions unrelated to the user’s editing request.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The downloadFile method accepts an arbitrary URL or path, fetches it, and writes the response to an arbitrary local destination path. In an agent context, this broad file-write primitive can be abused to retrieve attacker-controlled content and place it on disk outside the stated video-editing workflow, enabling unsafe file drops, overwrites, or staging of malicious content.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: This code generates a long-lived reusable API key and persists it locally under a general user config file, which expands the skill's capability from transient authentication to ongoing account access. That is more sensitive than the manifest suggests, and if the local machine or config path is exposed, the attacker could reuse the key to access the user's web2labs account and consume credits or perform API actions.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill exposes a persistent `studio_watch` capability that monitors external channels and can automatically process and download new content, which materially exceeds the manifest's described one-shot upload/edit/download workflow. This hidden or under-disclosed automation increases operational and privacy risk because an agent could set up ongoing actions with recurring uploads, processing charges, and filesystem writes that the user did not reasonably expect from the skill description.

Description-Behavior Mismatch

Low

Confidence: 82% confidence
Finding: The skill includes referral and feedback/account-adjacent actions that are not reflected in the advertised scope, creating a capability mismatch between what users expect and what the agent can do. While these functions are less dangerous than file or execution primitives, undisclosed account-affecting actions can still lead to unintended data sharing, support submissions, or application of referral codes without informed user intent.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: This tool exposes asset listing, upload, and deletion capabilities that are not disclosed by the skill metadata, which only describes video editing-related functions. Hidden or undocumented file-management behavior increases the chance that users or orchestrating agents invoke sensitive operations without informed consent, especially when combined with local file access and remote API calls.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: This tool exposes brand retrieval and update capabilities even though the stated skill purpose is focused on video editing, shorts, captions, thumbnails, and cost estimation. Scope expansion like this increases the chance that an agent or user invokes sensitive account-modifying functionality unexpectedly, creating confused-deputy risk and unauthorized profile changes if the tool is reachable without clear manifest disclosure.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The tool exposes a destructive `deleteProject` operation even though the skill metadata describes only video editing, captioning, thumbnail generation, and cost estimation. This scope mismatch is dangerous because an agent or user may invoke deletion without expecting the skill to have destructive authority, increasing the risk of accidental or unauthorized project loss.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Deleting projects is a destructive capability that is not justified by the stated purpose of media processing and transformation. In this context, the presence of deletion functionality broadens the attack surface and can lead to loss of user work or assets if triggered accidentally, by prompt confusion, or by misuse of the API client.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The add flow creates persistent channel watchers that continuously monitor third-party sources and later trigger automated processing, which materially expands behavior beyond the described one-off upload/edit workflow. In a media-processing skill, this can cause ongoing collection and processing of content without clear user understanding, increasing the risk of unauthorized ingestion, policy violations, and unexpected cost accrual.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The check logic automatically polls enabled channels, downloads discovered videos, and uploads them for processing without an interactive approval step per run or per video. In this skill context, that is especially risky because the product handles external URLs and paid media processing, so silent automation can lead to unauthorized processing of third-party content, repeated uploads, and unbounded operational cost.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The tests show the skill registers substantially broader capabilities than the stated video-editing description, including delete, analytics, branding, assets, feedback, referral, and watch operations. This scope mismatch is a real security concern because hidden or undocumented capabilities reduce user transparency and may enable higher-risk actions than a user would reasonably expect from the manifest.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: Referral functionality is not obviously necessary for a video-editing skill and appears outside the declared purpose. Undocumented monetization or growth features can create trust and abuse risks, especially if an agent can invoke them without clear user intent or disclosure.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The tests clearly exercise persistent channel-watching and polling behavior for YouTube/Twitch channels, including tracking processed uploads and daily quotas, which is materially broader than the manifest’s stated video-editing functionality. This kind of hidden monitoring capability increases risk because users may grant the skill access expecting one-time editing, while the implementation supports ongoing surveillance/automation against external accounts and content sources.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The watch mode describes scheduled polling, downloading, and uploading of new channel videos, but it does not prominently require an explicit one-time confirmation that persistent monitoring and automatic processing will continue beyond the current interaction. In an agent setting, this can lead to unintended ongoing collection and processing of content, surprise spending, and privacy/consent issues if the user does not fully understand the persistence of the watcher.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The manifest states that users may upload local files and provide YouTube/Twitch URLs, while also requesting both filesystem and network permissions, but it does not warn that local media and remote-linked content may be transferred to external services for processing. For a media skill handling potentially sensitive recordings, this lack of clear disclosure materially increases privacy and data exfiltration risk.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The example trigger, 'Process all videos in ~/recordings/ as youtube videos,' is broad enough to encourage bulk processing of an entire local directory without meaningful scope limits or explicit user confirmation of which files will be touched. In a media-processing skill that can consume credits and operate on local files or remote URLs, this can lead to unintended mass actions, surprise cost exposure, and processing of sensitive recordings if an agent activates on loosely matched requests.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example explicitly states that a remote video URL will be downloaded locally and then uploaded to Studio, but it does not warn the user that third-party content will be fetched, stored on the local machine, and transferred to an external service. This can create privacy, compliance, copyright, and data-handling risks, especially if users assume URL-based processing is remote-only or do not realize the content leaves their environment.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The webhook example encourages sending processing status to an arbitrary external endpoint without warning that job metadata may be transmitted off-platform. In a media-processing workflow, callback payloads can include filenames, job identifiers, output links, or other sensitive operational data, creating a data disclosure risk if users paste untrusted URLs.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: This method downloads arbitrary remote content and writes it directly to a caller-controlled local path without visible safeguards or user confirmation. In an agent environment, that can facilitate writing untrusted data to sensitive filesystem locations, which is broader and riskier than simply retrieving processed media results.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The API key is written in plaintext to a local JSON config file with no user-facing disclosure in this code path. Even though the file mode is tightened afterward, plaintext secret storage increases the blast radius of local compromise, backup leakage, path redirection, or accidental exposure through tooling that reads dotfiles and config directories.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill registers a deletion tool that accepts only a `project_id` and shows no visible confirmation, safeguard, or reversible-delete semantics in this file. In an agent setting, this creates a real risk of accidental or unauthorized destructive actions against user projects, especially when project identifiers may be easy for the agent to enumerate via listing tools.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The authentication setup tool accepts raw API keys and setup codes but provides no visible warning, masking, or constrained handling guidance in this file. In an LLM-agent context, collecting and storing sensitive credentials without strong UX and redaction controls raises the chance of inadvertent disclosure through logs, transcripts, error payloads, or unsafe downstream storage.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The upload path accepts an arbitrary local file path and sends that file to a remote API via uploadAsset without any visible confirmation, disclosure, or path restrictions in this code. In an agent setting, this creates a real exfiltration risk because a prompt or misconfigured workflow could cause unintended transmission of sensitive local files under the guise of normal media processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal