Back to skill

Security audit

OpenClaw Video Publisher

Security checks across malware telemetry and agentic risk

Overview

This is a coherent video-publishing skill, but it gives an agent broad authority to publish or schedule public posts across multiple linked accounts without clear approval controls.

Review the external npm package or GitHub repository before installing. Use test or least-privilege platform credentials, avoid production accounts until verified, and require explicit confirmation before any upload, batch publish, retry, or scheduled post.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly recommends unattended scheduled publishing to multiple external platforms, but it does not warn that an agent may perform account actions and upload user content automatically using stored credentials. In the context of an AI agent skill, this increases the risk of unintended external actions, misuse of authenticated accounts, privacy mistakes, and mass posting if prompts are ambiguous or the schedule is misconfigured.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.