ClawHub
Back to skill

Security audit

auto-video-creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward XLXAI video-generation helper, but users should know prompts and selected images are sent to an external service.

Install only if you are comfortable using an XLXAI API key and sending your prompts, selected images, and generated video outputs through XLXAI or its hosting/CDN. Avoid sensitive, regulated, or private images unless external processing is acceptable, and use a dedicated API key where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill says it generates videos via the XLXAI API, which implies user prompts and possibly other content are transmitted to a third-party service, but it does not clearly warn users about that data flow. Users may provide sensitive prompts or proprietary material without understanding it leaves the local environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The image-to-video workflow explicitly allows local image paths and notes they are converted to data URIs, but it does not clearly warn that those local files will be uploaded off-device to the external API. This creates a real risk of accidental exfiltration of sensitive local files, especially if users assume local paths are processed locally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
If the user supplies a local image path, the script base64-encodes the entire file and transmits it to the external XLXAI API, but the CLI does not provide a clear privacy warning or explicit confirmation at the point of upload. In agent or automated environments, this can cause unintentional disclosure of sensitive local files or personal images to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal