ClawHub

混元生视频能力

Security checks across malware telemetry and agentic risk

Overview

This Tencent Cloud video-generation skill is mostly purpose-aligned, but it needs review because its setup instructions expose cloud credentials and its privacy warning for uploaded media is too weak.

Review before installing. Use a limited-scope Tencent Cloud key if possible, do not run the documented commands that print your SecretId or SecretKey, and avoid submitting private or regulated media unless Tencent Cloud processing and retention are acceptable for that content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The verification instructions tell users to print SecretId in full and part of SecretKey to console output. Console logs are often persisted in shell history, CI logs, terminal recordings, or shared screenshots, so this unnecessarily exposes sensitive cloud credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill supports local file paths and public URLs for image/video inputs, but it does not clearly warn that these assets and prompts are transmitted to Tencent Cloud for remote processing. Users may unintentionally upload sensitive local media or confidential URLs without understanding the privacy implications.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal