Security Audit

mv-pipeline

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

mv-pipeline received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 16 findings: 5 critical, 7 high, 4 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Suspicious import: requests.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

Static Code Analysis

33%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

5 findings

Shell Execution

11 findings

Dynamic Code

3 findings

Excessive Permissions

4 findings

Security Findings16

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/koatora20/mv-pipeline/scripts/generate_veo.py:24
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/koatora20/mv-pipeline/scripts/generate_veo.py:37
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/koatora20/mv-pipeline/scripts/generate_veo.py:48
CRITICAL	Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/koatora20/mv-pipeline/scripts/score_clips.py:40
CRITICAL	Untrusted Skill Instructions Manipulate Host LLM The entire `SKILL.md` document, which is explicitly marked as untrusted input, contains direct instructions for the host LLM. This allows an attacker to manipulate the LLM's behavior by providing malicious instructions within the skill definition itself, bypassing the security boundary. The LLM is instructed to perform a multi-step pipeline (songwriting, music generation, video generation, etc.) based on this untrusted content. Skill definitions and instructions for the host LLM must be treated as trusted input and reside outside the untrusted content delimiters. Untrusted content should only be processed as data, not as commands or instructions.	LLM	SKILL.md:1
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_access_token'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/koatora20/mv-pipeline/scripts/generate_veo.py:24
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'download_from_gcs'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/koatora20/mv-pipeline/scripts/generate_veo.py:37
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'download_from_gcs'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/koatora20/mv-pipeline/scripts/generate_veo.py:48
HIGH	Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'get_video_info'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives.	Static	skills/koatora20/mv-pipeline/scripts/score_clips.py:40
HIGH	Shell Command Injection via User-Controlled File Paths The `scripts/generate_veo.py` script uses `subprocess.run` to execute `gsutil` commands. The `gcs_uri` and `local_path` arguments for `gsutil ls` and `gsutil cp` are constructed using `output_path`, which is directly derived from user-provided command-line arguments (`--output`). An attacker can inject shell metacharacters into the `--output` argument, leading to arbitrary command execution on the host system. Sanitize all user-provided input before passing it to `subprocess.run` or any shell command. Use `shlex.quote()` for individual arguments or prefer direct API calls over shell commands where possible. Avoid constructing shell commands by concatenating untrusted strings.	LLM	scripts/generate_veo.py:30
HIGH	Shell Command Injection via User-Controlled Video Paths The `scripts/score_clips.py` script executes `ffprobe` and `ffmpeg` commands using `subprocess.run`. The `video_path`, `input_path`, and `output_path` arguments for these commands are derived from user-controlled input (`--input-dir` and video filenames within that directory). An attacker can inject shell metacharacters into these paths or filenames, leading to arbitrary command execution. Sanitize all user-provided input before passing it to `subprocess.run` or any shell command. Use `shlex.quote()` for individual arguments or prefer direct API calls over shell commands where possible. Avoid constructing shell commands by concatenating untrusted strings.	LLM	scripts/score_clips.py:30
HIGH	Arbitrary File System Access via User-Controlled Paths Multiple Python scripts (`init_project.py`, `reformat_lyrics.py`, `transcribe_align.py`) construct file paths using user-provided arguments (`--name`, `--dir`, `--aligned`, `--formatted`, `--output`). These paths are then used with `os.makedirs`, `open()`, and `result.save_as_json()`. An attacker can use path traversal sequences (e.g., `../../`) in these arguments to read, write, or create files outside the intended project directory, potentially overwriting critical system files or exfiltrating sensitive data. Validate and sanitize all user-provided paths to prevent path traversal. Use `os.path.abspath()` and ensure the resolved path remains within an allowed base directory. Consider using a sandboxed environment for file operations.	LLM	scripts/init_project.py:10
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/koatora20/mv-pipeline/scripts/generate_veo.py:13
MEDIUM	Potential Data Exfiltration via Browser Automation and Snapshots The skill explicitly mentions "Suno (suno.com) をブラウザ自動操作で使用。" and "browser snapshot → UI要素取得". Browser automation, especially when operating on a logged-in profile (`OpenClaw Browser (profile=openclaw)`), can access and potentially exfiltrate sensitive data displayed in the browser or stored in the browser profile (e.g., cookies, session tokens, personal information). Taking UI snapshots further increases the risk of inadvertently capturing and exfiltrating sensitive visual data. Implement strict sandboxing for browser automation. Restrict the browser profile's access to sensitive data. Carefully review and limit the scope of browser automation actions, especially those involving data extraction or screen capturing. Ensure any captured data is handled securely and not exposed to untrusted contexts.	LLM	SKILL.md:29
MEDIUM	Unpinned Dependencies in Skill Installation The skill's documentation and scripts suggest installing or using dependencies without specifying exact versions. `npx -y create-video@latest` explicitly uses the `@latest` tag, and `pip install stable-ts` does not specify a version. This makes the skill vulnerable to supply chain attacks, where a malicious update to an unpinned dependency could introduce vulnerabilities or backdoors into the system. Pin all dependencies to specific, known-good versions (e.g., `create-video@1.2.3`, `stable-ts==1.2.3`). Regularly audit and update pinned dependencies.	LLM	SKILL.md:121
MEDIUM	Dynamic Module Loading from Relative Path The `scripts/youtube-upload.js` script dynamically loads `video-uploader.js` from a relative path (`../../youtube-studio/scripts`). If the skill's installation directory or the `youtube-studio` directory can be manipulated by an attacker, a malicious `video-uploader.js` could be loaded and executed, leading to arbitrary code execution or credential harvesting. Ensure that the skill's installation path and all referenced external modules are protected from unauthorized modification. Consider using absolute paths to trusted libraries or cryptographic verification of module integrity before loading.	LLM	scripts/youtube-upload.js:14

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/3796ebb72982a4cc.svg)](https://skillshield.io/report/3796ebb72982a4cc)