ClawHub
Back to skill

Security audit

Qwen Wan 2.6 Video Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward DashScope video-generation helper, but users should know their prompts, image URLs, and DashScope API key are used with Alibaba’s service.

Install only if you are comfortable configuring a DashScope API key and sending video prompts or referenced image URLs to Alibaba Cloud DashScope. Avoid using confidential prompts, private image URLs, or regulated data unless your account terms and organization policy allow it, and monitor usage because generated videos may incur provider charges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises capabilities that require access to environment variables and outbound network calls, but it does not declare permissions or otherwise warn users about those capabilities. This can lead to unanticipated access to sensitive API keys and transmission of user data to external services, reducing transparency and weakening consent boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to configure an API key and send prompts or image URLs to DashScope, but it does not clearly warn that user content will be transmitted to a third-party provider. In a video-generation context, prompts and images may contain proprietary, personal, or sensitive material, so the lack of disclosure creates privacy and compliance risk.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The script sends user-provided prompts and optional image URLs to a third-party cloud API, but the CLI offers no explicit privacy notice, consent step, or data-handling warning. In agent or automation contexts, users may not realize that potentially sensitive text or referenced images are being transmitted off-host to an external provider.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.