ClawHub

Byted Kickart Viral Replicator

Security checks across malware telemetry and agentic risk

Overview

This skill has a real video-generation workflow, but it handles cloud credentials and external account actions in ways users should review carefully before installing.

Install only if you trust the publisher and are comfortable giving this skill access to VolcEngine/Kickart credentials and media assets. Do not paste long-lived cloud secrets into chat; use a scoped, temporary credential or platform secret store if available. Review the package-registration/update steps, background polling, local logs, and media-retention behavior before using it with private, copyrighted, or business-sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file's documented purpose is an async task progress query tool, which does not align with the skill's declared purpose of viral video cloning/replication. This kind of capability mismatch can cause the agent to load and follow irrelevant instructions, creating unintended behavior and widening the attack surface for prompt-routing confusion or hidden secondary workflows.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document imposes a mandatory priority rule to trigger a 'query progress' workflow based on common phrases, even though that behavior is not the primary purpose stated in the skill metadata. Forced routing rules can override normal agent intent handling and be abused to hijack user interactions into unintended tool paths, especially when the phrases are broad and conversational.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The instruction to persist package-check results to a local database introduces unnecessary data retention beyond the file's stated purpose of validating service availability before video creation. Even if the stored field is only an expiry timestamp, local persistence expands the skill's data handling footprint, creates privacy and security obligations, and can expose user/account subscription metadata if the host is shared or compromised.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The guide instructs the agent to run an upgrade script and potentially execute an install_command returned by that script, effectively delegating code execution to external or runtime-provided content. This is dangerous because it expands the skill from content generation into software maintenance and creates a path for arbitrary command execution or supply-chain compromise if the script output, package source, or update channel is tampered with.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The guide instructs the agent to fetch arbitrary user-supplied URLs with wget/curl and save them locally. That expands the skill from image-processing guidance into network retrieval of untrusted content, which can expose internal network resources, retrieve malicious payloads, or enable misuse well beyond the stated purpose of helping users provide avatar images.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The file directs the agent to run shell commands and a Python script for directory creation, remote downloads, and asset uploads. Introducing operational command execution that is not clearly part of the declared skill behavior increases attack surface and can be abused if file paths, URLs, or script inputs are influenced by untrusted user data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The guide explicitly instructs the agent to ask users to paste raw ACCESS_KEY_ID and SECRET_ACCESS_KEY into the chat and then use them for runtime configuration. Collecting cloud credentials through the chat channel is unnecessary for a short-video replication skill and creates a direct path for credential exposure, mishandling, or downstream misuse.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document tells the agent to inspect environment variables containing API bases, API keys, and access keys, including secret-bearing variables. For a skill whose stated purpose is cloning viral short-video formats, reading runtime secrets is unrelated and expands access to sensitive material without functional justification.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The guide instructs the agent to echo full values of ARK_SKILL_API_KEY, ACCESS_KEY_ID, and SECRET_ACCESS_KEY to output, which directly exposes secrets in logs, transcripts, or tool output. This contradicts the later warning not to leak sensitive information and creates an immediate secret disclosure risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The reference file describes a Douyin/Dou Store product-material analysis tool, while the skill metadata claims the skill is for viral video replication/cloning. This capability mismatch can mislead orchestration logic, reviewers, or users into invoking a different workflow than advertised, increasing the risk of unintended data handling and unsafe downstream automation.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented inputs and outputs are product links and product-material summaries rather than video-cloning artifacts promised by the skill description. This inconsistency is dangerous because agents may collect, process, or return the wrong category of content, leading to confused-deputy behavior, privacy/compliance issues, and user deception about what the skill actually does.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code calls ListUsers with UserType='All' and selects an admin or first user ID for subsequent operations, which is unnecessary for a media upload helper and expands access beyond the current caller's identity. Enumerating IAM users can expose account structure and enable actions to be performed under a more privileged owner context than intended, especially in a skill designed to clone and upload media at scale.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
This code extracts all `url` fields from the service response and downloads them to local storage without validating scheme, host, content type, size, or ownership. In the context of a 'viral replicator/cloner' skill, bulk downloading third-party media materially increases the risk of unauthorized asset copying and, if the upstream service can be influenced, can also enable retrieval of unexpected internal or sensitive URLs via the downloader.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says it is for generating or cloning short-video content, but the code instead instantiates an external service client and calls `RegisterArkClawCombo`. This mismatch is a strong indicator of deceptive functionality and could cause unauthorized account/package registration or hidden external actions unrelated to the user's request.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code performs external package/account registration via `iccp_service.post(...)` without any clear relationship to a video-cloning workflow. In a skill that should only help create content patterns, hidden registration behavior is dangerous because it can enroll users in services, trigger backend side effects, or abuse platform identity and billing flows.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill spawns a detached background process and later invokes an external agent CLI using session metadata, which extends its behavior beyond simple media processing. In a user-facing tool, undisclosed background execution and cross-process notification can create privacy, auditability, and abuse risks, especially if attacker-controlled metadata or outputs are forwarded into downstream tooling.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description includes broad 'equivalent intent' wording, which can cause the skill to activate on loosely related requests. Over-broad invocation is a security issue when the skill has access to local files, uploads media, reads configuration/auth state, and contacts external services, because accidental triggering can lead to unintended data access or transmission. In this skill’s context, the danger is amplified by its cloning/upload workflow and reliance on persistent session/task data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The task table’s '爆款裂变' row again uses broad equivalent-intent matching without strict boundaries. Because this path requires prior creative analysis, reference video handling, and likely remote processing/upload, ambiguous triggering can initiate a multi-step workflow with access to user media and external APIs without sufficiently explicit user intent. The surrounding context therefore increases risk beyond a simple UX issue.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include generic expressions such as asking whether something is ready, which commonly appear in ordinary conversation. Overbroad triggers can cause accidental activation of this guide, leading the agent to expose task-related behavior or perform unintended actions when the user did not clearly request status querying.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The mandatory intent-matching rule uses ambiguous keywords and instructs the agent to prioritize this guide, which increases the chance of prompt-routing errors. In a skill already mismatched to its declared purpose, such ambiguity is more dangerous because it can redirect unrelated user requests into a stateful task-query workflow without clear authorization or relevance.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown requires persistent local storage of package-check results but does not disclose that user-related service status will be retained on disk. Undisclosed retention is a security and privacy issue because operators may collect account metadata without notice, and local files or databases may be accessible to other processes, administrators, or attackers on the same system.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guide tells the agent to download user-provided image links to local storage and upload them onward, but it gives no user-facing notice about temporary storage, transfer, retention, or third-party processing. Because these are personal images used for a digital persona, the privacy sensitivity is higher and users may not understand how their data is handled.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instructions tell the agent to have the user transmit Access Key credentials directly in the conversation, but do not warn that the chat channel may be logged, retained, or viewable by operators and systems. That makes credential compromise materially more likely and is especially unjustified given the skill's unrelated business purpose.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are overly broad because they include vague 'equivalent intent' language for cloning or making content similar to popular videos. This can cause the skill to activate on ambiguous user requests and steer users into a content-replication workflow without clear confirmation, increasing the risk of misuse for unauthorized imitation or policy-violating content generation.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The skill instructs the agent to default the output language to Chinese in the preview shown to the user, rather than first collecting or confirming the user's language preference. While not a direct system compromise, this can override user intent and cause unintended content generation characteristics, especially in multilingual or cross-region contexts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal