Is ai-notes-ofvideo safe?

https://clawhub.ai/ide-rea/ai-notes-ofvideo

74
CAUTION

This skill is a legitimate Baidu AI video-notes integration with clean SKILL.md instructions and no prompt injection. However, it transmits user-provided URLs and API keys to an external third-party service (qianfan.baidubce.com) without local validation, and the install phase accessed sensitive files (.aws/credentials, .env) through the framework runtime. The external API dependency and unvalidated URL passthrough create a moderate risk surface for data exfiltration when combined with other skills.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 70/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (9)

MEDIUM API key sent to external Baidu endpoint -15

All three Python scripts transmit the BAIDU_API_KEY via Authorization Bearer header to qianfan.baidubce.com. While this is expected for the skill's function, the user's API key is sent to a third-party cloud service on every invocation.

MEDIUM User video URLs sent to external API without validation -15

The create task script forwards the user-provided video_url directly to Baidu's API without local validation. Any URL the user provides (or the agent constructs) is transmitted externally. This could be exploited if an attacker chains this skill with others to encode sensitive data as URL parameters.

MEDIUM Sensitive files accessed during installation -30

During the install phase, the runtime accessed .env, .aws/credentials, .profile, .bashrc, openclaw.json, and auth-profiles.json. While this appears to be framework-level behavior (not skill-initiated), the .aws/credentials access is concerning as it could expose cloud credentials to any framework component.

MEDIUM Executable Python scripts with external HTTP calls -20

Three Python scripts make HTTP requests to Baidu's API. The scripts use the requests library and accept command-line arguments that are passed to the external service. No dependency pinning or integrity verification is present.

LOW Unpinned requests dependency -10

The Python scripts import the requests library without any version pinning or requirements.txt. A supply chain attack on the requests package could compromise all invocations.

LOW No timeout on query endpoint -10

The ai_notes_task_query.py script does not set a timeout on its HTTP request, unlike the other two scripts which use timeout=30. This could cause the agent to hang indefinitely.

LOW Polling mechanism could mask timing-based attacks -15

The polling script accepts configurable max_attempts and interval_seconds parameters, allowing sustained periodic external API calls. While legitimate for status checking, this pattern could be abused for timing-based covert channels or sustained beacon-like behavior.

INFO Clean SKILL.md with no injection patterns -10

The SKILL.md file contains only standard API documentation, usage examples, and error handling guidance. No hidden instructions, persona manipulation, or obfuscated content detected.

LOW Video URL passthrough creates potential exfiltration channel -20

If this skill is combined with others, an attacker could craft a malicious skill that encodes sensitive local data into a URL string, then invokes this skill to transmit it to Baidu's API as a 'video URL'. The create_note_task function performs no URL format validation.