ClawHub

WayinVideo - Video Understanding & AI Clipping

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent WayinVideo helper that uploads videos for AI processing, saves task results locally, and offers optional progress notifications.

Install only if you intend to use WayinVideo with a WAYIN_API_KEY and are comfortable sending selected video content or URLs to the WayinVideo service. Avoid uploading sensitive meetings, faces, screens, or documents unless that transfer is acceptable. Check ~/.wayinvideo for saved config/results, and leave event notifications disabled unless you want task progress routed through the local openclaw command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Fire an openclaw system event (best-effort, never raises)."""
    # Only send if event_enabled = True and event_enabled > 0, which is False and 0 by default.
    try:
        subprocess.run([
            "openclaw", "system", "event",
            "--text", text,
            "--mode", "now"
Confidence
91% confidence
Finding
subprocess.run([ "openclaw", "system", "event", "--text", text, "--mode", "now" ], check=True, capture_output=True, text=True)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill includes a side-effecting capability to emit system events through a separate command unrelated to its stated video editing purpose. In an agent skill context, extra host interaction surface is more dangerous because it can leak workflow metadata or trigger unexpected integrations on the user's machine without a clear necessity.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation text is overly broad and can cause the skill to trigger for virtually any video editing or content analysis request, even when not necessary. Over-broad routing increases the chance that sensitive files or URLs are sent through this skill by default, expanding exposure and making misuse or accidental data transfer more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to upload local video files and later download exported media, but it does not prominently warn that these actions transfer local content to a third-party service and may write files to disk. In this context, the risk is elevated because videos often contain sensitive audio, faces, screens, documents, or meeting content, so silent upload/download behavior can cause significant privacy and data-handling issues.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Notification messages include task identifiers and, in some cases, absolute local save paths, then pass them to an external event command without clear user-facing warning at the call site. That can expose sensitive filesystem structure or task metadata to other local services, logs, desktop notification systems, or monitoring tools.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal