ClawHub
Back to skill

Security audit

FMT视频制作工具 v1.0

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed FMT video-production skill, with ordinary media-generation and local ffmpeg/Python steps, but users should approve any package installation first.

Install/use this skill only for intended FMT video work. Review file paths before ffmpeg or Python commands run, do not allow apt-get or other package-manager commands unless you explicitly want to change the system environment, and avoid sending sensitive narration text to TTS/video-generation tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly recommends using `apt-get install ffmpeg` as a fallback, which expands its behavior from media processing into system package installation. Allowing an agent skill to install OS packages increases the attack surface, can modify the runtime environment unexpectedly, and may violate sandbox or least-privilege assumptions even if the stated purpose is only video production.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger phrase `合成视频` is generic and likely to match many unrelated video-editing requests, causing this skill to activate outside its narrow FMT-medical-video context. Overbroad activation can route user requests into a skill that uses powerful tools like `exec` and media-generation functions, increasing the chance of unintended command execution paths or misuse of privileged capabilities.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.