ClawHub
Back to skill

Security audit

Story Video Skill

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its story-to-video purpose, but it can automatically run package-manager installs and uses API-key-backed network calls to configurable endpoints, so it needs review before installation.

Install only if you are comfortable sending story content and generated media prompts to MiniMax using your API key. Review or remove the ffmpeg auto-install logic first, and keep endpoint environment variables pointed only at trusted MiniMax-compatible HTTPS hosts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Try apt (Debian/Ubuntu/WSL)
        print("[INFO] Detected Linux — running: sudo apt-get update && sudo apt-get install -y ffmpeg")
        try:
            result = subprocess.run(
                ['sudo', 'apt-get', 'update'],
                capture_output=True, text=True, timeout=120
            )
Confidence
98% confidence
Finding
result = subprocess.run( ['sudo', 'apt-get', 'update'], capture_output=True, text=True, timeout=120 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
            if result.returncode != 0:
                print(f"[WARN] apt-get update failed: {result.stderr.strip()}")
            result = subprocess.run(
                ['sudo', 'apt-get', 'install', '-y', 'ffmpeg'],
                capture_output=True, text=True, timeout=180
            )
Confidence
99% confidence
Finding
result = subprocess.run( ['sudo', 'apt-get', 'install', '-y', 'ffmpeg'], capture_output=True, text=True, timeout=180 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# macOS — try brew
        print("[INFO] Detected macOS — running: brew install ffmpeg")
        try:
            result = subprocess.run(
                ['brew', 'install', 'ffmpeg'],
                capture_output=True, text=True, timeout=300
            )
Confidence
96% confidence
Finding
result = subprocess.run( ['brew', 'install', 'ffmpeg'], capture_output=True, text=True, timeout=300 )

Tainted flow: 'T2I_URL' from os.environ.get (line 16, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
# ── API helpers ─────────────────────────────────────────────────────────────
def t2i_generate(visual_prompt):
    """调用 MiniMax T2I,返回 (img_url, error_msg)"""
    resp = requests.post(T2I_URL, headers=get_headers(), json={
        "model": "image-01",
        "prompt": visual_prompt,
        "aspect_ratio": "16:9"
Confidence
90% confidence
Finding
resp = requests.post(T2I_URL, headers=get_headers(), json={ "model": "image-01", "prompt": visual_prompt, "aspect_ratio": "16:9" }, timeout=60)

Tainted flow: 'I2V_URL' from os.environ.get (line 17, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def i2v_submit(img_url, prompt):
    """提交 I2V 任务,返回 (task_id, error_msg)"""
    try:
        resp = requests.post(I2V_URL, headers=get_headers(), json={
            "model": "MiniMax-Hailuo-2.3",
            "first_frame_image": img_url,
            "prompt": prompt[:200],
Confidence
90% confidence
Finding
resp = requests.post(I2V_URL, headers=get_headers(), json={ "model": "MiniMax-Hailuo-2.3", "first_frame_image": img_url, "prompt": prompt[:200],

Tainted flow: 'RETRIEVE_URL' from os.environ.get (line 19, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
def get_download_url(file_id):
    try:
        resp = requests.get(RETRIEVE_URL, headers=get_headers(),
                           params={"file_id": file_id}, timeout=30)
        resp.raise_for_status()
        return resp.json().get("file", {}).get("download_url")
Confidence
87% confidence
Finding
resp = requests.get(RETRIEVE_URL, headers=get_headers(), params={"file_id": file_id}, timeout=30)

Tainted flow: 'POLL_URL' from os.environ.get (line 18, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
start = time.time()
    while time.time() - start < timeout:
        try:
            resp = requests.get(POLL_URL, headers=get_headers(),
                                params={"task_id": task_id}, timeout=30)
            resp.raise_for_status()
            result = resp.json()
Confidence
87% confidence
Finding
resp = requests.get(POLL_URL, headers=get_headers(), params={"task_id": task_id}, timeout=30)

Tainted flow: 'API_ENDPOINT' from os.environ.get (line 26, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"parameters": {"aspect_ratio": "16:9"}
    }
    
    response = requests.post(
        API_ENDPOINT,
        headers=headers,
        json=payload,
Confidence
95% confidence
Finding
response = requests.post( API_ENDPOINT, headers=headers, json=payload, timeout=timeout )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes execution paths that use environment variables, local file I/O, network access, and shell commands, yet it declares no permissions or capability boundaries. This creates a trust and consent gap: users or hosts may invoke a skill that can access secrets, write artifacts, contact third-party APIs, and run local commands without an explicit permission model.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates important behaviors such as attempting system-level ffmpeg installation, producing additional output artifacts, and relying on external MiniMax services. This mismatch is dangerous because operators may approve the skill for content generation while unaware it can execute privileged package-management commands and transmit data externally, increasing the chance of unintended system modification and data exposure.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The skill contains built-in software-installation logic for multiple platforms, meaning it can modify the local system rather than only process media. In an agent setting, that broader capability significantly increases risk because a simple content task now includes package management, network access, and system-state changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits image URLs and generation metadata to an external third-party API without any explicit user-facing notice or consent step. In a content-production pipeline, those URLs or prompts may contain sensitive or unpublished material, so silent exfiltration to a vendor increases privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The runtime flow attempts installation automatically when ffmpeg is missing, without any prior confirmation prompt from the user. In an agent workflow, this can lead to surprising privileged actions and host modification from what appears to be a simple media utility.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends full story content to a third-party LLM service without any explicit consent prompt, disclosure, or content-sensitivity checks. In this skill context, users may provide unpublished scripts, private narratives, or sensitive creative material, making silent external transmission a real privacy and confidentiality risk.

Ssd 4

Medium
Confidence
91% confidence
Finding
User-controlled story text is interpolated directly into the prompt with only weak natural-language instructions separating data from control. A crafted story can inject prompt directives that cause the model to ignore the intended task, produce malformed or adversarial output, or generate content that disrupts downstream processing in this video pipeline.

External Transmission

Medium
Category
Data Exfiltration
Content
| 变量 | 必需 | 默认值 | 说明 |
|------|------|--------|------|
| `MINIMAX_API_KEY` | ✅ | — | MiniMax API密钥 |
| `MINIMAX_BASE_URL` | ❌ | `https://api.minimaxi.com/v1` | MiniMax API地址 |
| `MINIMAX_IMAGE_URL` | ❌ | `https://api.minimaxi.com/v1/image_generation` | 图片生成端点 |

## 目录结构
Confidence
90% confidence
Finding
https://api.minimaxi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
|------|------|--------|------|
| `MINIMAX_API_KEY` | ✅ | — | MiniMax API密钥 |
| `MINIMAX_BASE_URL` | ❌ | `https://api.minimaxi.com/v1` | MiniMax API地址 |
| `MINIMAX_IMAGE_URL` | ❌ | `https://api.minimaxi.com/v1/image_generation` | 图片生成端点 |

## 目录结构
Confidence
90% confidence
Finding
https://api.minimaxi.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.