ClawHub

Jianying Editor Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real JianYing automation skill, but its installer and some data-handling features need manual review before use.

Review before installing. Do not use the one-line PowerShell installer; prefer a pinned repository or release you can inspect. Run it only on test JianYing projects first, keep backups, and avoid sensitive videos, transcripts, credentials, or private desktop activity unless you are comfortable with external AI/TTS services, local JianYing cache/log access, screen recording, and automated UI/file changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (42)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation exposes capabilities to read environment variables, access and modify local files, invoke shell commands, and make network requests, but it does not declare any permissions or clearly scope those operations. This creates a trust and review gap: an agent or user may invoke the skill assuming only video-editing behavior, while the skill can touch broader system and network resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared description presents the skill as a JianYing editing wrapper, but the referenced behavior includes local draft inspection, cache and project directory scanning, cloud asset downloading, external AI/API use, Windows UI automation, and desktop recording with global mouse/keyboard monitoring. That mismatch is dangerous because it hides surveillance-capable and data-exfiltration-capable functionality behind a benign editing label, increasing the chance of overbroad invocation and unintended access to sensitive local content.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The README tells users to execute a remotely fetched PowerShell command (`irm ... | iex`), which downloads and immediately runs code without giving the user a chance to inspect it. This creates a direct supply-chain and remote-code-execution risk: if the shortlink target is changed or compromised, users could run arbitrary attacker-controlled code on their machine.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This CSV embeds a large set of direct JianYing/VOD CDN audio URLs, which effectively turns the skill package into a distributed access map for remote media resources rather than a purely local catalog. Even without active exploit code, bundling many signed-looking or origin URLs can enable unintended third-party retrieval, policy bypass, license abuse, or privacy/telemetry leakage when the agent or user follows them automatically.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script's comments tell the user it only triggers export and leaves the file in Jianying's default directory, but the implementation actually scans common folders and moves the exported media to the caller-supplied output_path. This mismatch is dangerous because operators may underestimate file-system side effects, including relocation of recently created media and unintended overwrites in automation contexts.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The example sends subtitle text and local media metadata to an external chat skill for matching, which can expose potentially sensitive transcript content and file-derived metadata outside the local editing workflow users would reasonably expect from a video editor wrapper. In this skill context, that is more dangerous because subtitles often contain private spoken content, and the external dependency is not obvious from the editor-focused purpose.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code executes an external chat skill subprocess as part of core subtitle-to-material matching, introducing an unnecessary trust boundary and expanding the attack surface beyond the editor wrapper's apparent scope. If that helper script or its backing service is modified, compromised, or behaves unexpectedly, the example can leak data or make unsafe decisions based on untrusted output.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The page prominently instructs users to run `irm is.gd/rpb65M | iex`, which downloads and immediately executes a remote PowerShell script via a shortened URL. That creates a strong supply-chain and social-engineering risk because users cannot inspect the script beforehand, the destination can change over time, and the command is unrelated to safely documenting a static HTML page.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The template sends a local video file to an external AI service via `client.chat_completion(..., file_paths=[video_path])`, which can expose potentially sensitive media content off-host. This is especially concerning because the skill metadata emphasizes local editing automation and does not clearly disclose remote video analysis or data transfer, creating a transparency and privacy-consent gap.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The fallback rule explicitly authorizes downloading audio from the web, which expands the skill from local/media-library editing into external network access and local file creation. That creates supply-chain and policy risk: an agent may fetch untrusted content, leak network metadata, or perform actions outside the user’s expected scope without explicit approval.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The code scans external mitmdump log files and extracts asset URLs by matching IDs, including from paths outside the skill directory. This creates an undeclared data-access capability that can consume captured network traffic artifacts and use them to retrieve remote content, which is risky because those logs may contain sensitive or unintended URLs and the behavior is not transparent to users.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script marketed as a JianYing editing wrapper sends the provided video file to an external AI service for analysis via `file_paths=[video_path]`. This creates a data-exfiltration/privacy risk because users may reasonably expect local editing automation, not third-party upload of potentially sensitive media.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code performs external LLM/video-analysis calls unrelated to the narrow expectation of a local JianYing wrapper, expanding the trust boundary and exposing user media to a remote service. Even if functionally useful, this is security-relevant because it introduces undisclosed third-party processing and dependency on a remote model provider.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This script enumerates JianYing's internal cache metadata and republishes cached music files into the skill's own assets directory, effectively duplicating user/application data outside its original storage context. That broadens access to potentially licensed or user-associated media and creates privacy, compliance, and unintended data-retention risk that is not clearly necessary for an editing wrapper.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code directly inspects JianYing internal user-data locations, including cache and resource databases, to discover and harvest media metadata and files. Accessing another application's internal data stores is sensitive behavior and increases the chance of over-collection, privacy violations, and breakage if the app's storage format changes, especially when not clearly justified by the advertised API purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code harvests JianYing device identifiers from local config and log files, then uses them to authenticate requests to an external Bytedance TTS endpoint. Even if intended for compatibility, this is a privacy and credential-handling issue because it silently repurposes locally stored identifiers without explicit user consent or clear authorization boundaries.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The recorder captures global mouse movement, clicks, and keyboard activity in addition to screen/audio capture, creating a broader surveillance capability than a user may expect from a video editor helper. Even if intended for zoom effects, this collects behavioral telemetry across the desktop and can expose sensitive activity patterns during recording.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Global keyboard monitoring is a sensitive capability because it can observe user input system-wide, including potentially sensitive keystrokes entered in other applications during recording. Here the code logs keypress timing rather than key values, which reduces severity, but the undeclared system-wide hook is still privacy-invasive and risky for a media-editing utility.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises automated export and UI automation behavior, including mouse/keyboard simulation and compatibility constraints, but does not clearly warn users about the security and operational risks of granting a skill control over desktop actions. In a desktop automation context, insufficient warning increases the chance of unintended clicks, interference with other applications, or data loss during automated export flows.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation not only suggests a remote installer script but does so without meaningful security warning, provenance details, or verification guidance. Because the command executes network-fetched PowerShell immediately, the absence of explicit risk disclosure materially increases the likelihood of unsafe execution by users.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code deletes any existing file at the user-provided output_path and then moves the discovered export there, with no confirmation, backup, or path restriction. In an automation or agent setting, this can destroy arbitrary user files if output_path is mistaken, maliciously supplied, or points to a sensitive location accessible by the process.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code forwards subtitle content and material metadata to an external chat script without any runtime warning, consent prompt, or privacy notice. That lack of disclosure is a real security and privacy problem because users may unknowingly transmit sensitive spoken text or project metadata while believing they are using a local editing utility.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
A one-click installer that pipes network content directly into `iex` executes arbitrary code with the user's privileges and gives no warning about code execution, persistence, package installation, or filesystem changes. In a skill-installation context this is especially dangerous because users are primed to trust setup instructions and may run the command without review.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The page advertises direct modification of JianYing draft JSON files and calls it '文件注入驱动' without a clear warning that project files will be altered automatically. Even if intended as product description, omitting safety guidance can lead users to corrupt projects, overwrite drafts, or operate on unintended files without backups or consent cues.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The demo initializes a project with overwrite=True, which will automatically delete or replace an existing draft with the same name without any confirmation step. In an automation/editing skill, this can cause unintended data loss if a user reruns the script or if the fixed project name collides with an existing draft, though it does not appear to enable privilege escalation or code execution.

VirusTotal

3/67 vendors flagged this skill as malicious, and 64/67 flagged it as clean.

View on VirusTotal