Is makforce/zencreator-video-skill safe?

https://github.com/openclaw/skills/tree/main/skills/makforce/zencreator-video-skill

79
CAUTION

The zencreator-video skill is technically clean at the installation level — it contains only documentation files, no executable code, no git hooks, no npm scripts, and its installation exclusively contacted GitHub for the sparse-checkout clone. However, the skill's runtime design poses meaningful risks: it instructs the agent to use the user's real authenticated Chrome browser session to interact with a third-party NSFW adult content platform (zencreator.pro), upload local image files externally, and spend user credits (7–30 per generation) without per-operation confirmation. The skill also embeds sexually explicit example prompts directly into the agent's operational context. This skill should not be installed without explicit user awareness that it enables adult content generation and grants the agent access to their authenticated Chrome sessions.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 73/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 48/100 · 5%

Findings (10)

MEDIUM Authenticated Chrome Session Access -20

The skill instructs the agent to use profile="chrome" to attach to the user's real logged-in Chrome browser session. This grants the agent access to all authenticated websites, cookies, saved sessions, and browsing context present in that Chrome profile — not just ZenCreator.pro. Any browser tool action executed by this skill operates with the full privileges of the user's browser identity.

MEDIUM Local File Upload to External Third-Party Service -15

The skill instructs the agent to upload local image files from the user's filesystem to the external service app.zencreator.pro. While described as the legitimate use case for AI video generation, this creates a systematic mechanism for local files to be transmitted to a third-party NSFW platform.

MEDIUM Authenticated Browser Credential Scope Expansion -12

By requiring attachment to the user's real Chrome profile rather than an isolated browser context, the skill's browser interactions inherit access to all cookies, stored credentials, and active authentication tokens in that profile. A compromised version of the ZenCreator site or unexpected agent behavior could leverage this expanded scope.

MEDIUM NSFW Content Normalization in Agent Context -20

The skill embeds sexually explicit example prompts directly in the agent's system context and explicitly declares all content filters disabled. The 'ZenCreator AI University' example prompts include graphic sexual scenarios. This embeds adult content normalization into the agent's operational context, potentially lowering resistance to inappropriate adjacent requests.

LOW Unconfirmed Credit Spending on Third-Party Platform -15

The skill enables the agent to generate paid video content consuming 7–30 credits per operation on the user's ZenCreator account without requiring per-operation user confirmation. Accidental invocation, looping behavior, or misuse could result in significant unintended financial charges.

LOW Third-Party Commercial Adult Platform Dependency -17

The skill serves primarily as an agent-accessible client for ZenCreator.pro, a commercial NSFW platform. The agent becomes a billing and interaction proxy for this external service. Any changes to the platform (pricing, content policies, URL structure, ownership) directly affect the skill's behavior without notification to the user.

LOW Hardcoded External URL Navigation with Session Context -12

The skill directs the agent to navigate to specific third-party URLs using the user's authenticated Chrome session. Domain compromise, DNS hijacking, or subdomain takeover of zencreator.pro or app.zencreator.pro could silently redirect the agent to a malicious site with full access to the user's Chrome session.

INFO No Executable Code or Build Artifacts -3

The skill directory contains only SKILL.md and _meta.json. Systematic checks confirmed no package.json, npm install scripts, .githooks/ directory, .gitattributes filter drivers, .gitmodules, symlinks, or any other code execution mechanism. Nothing executes during installation beyond the git sparse-checkout.

INFO Clean Installation — GitHub Only -7

Installation performed a standard git sparse-checkout from github.com (140.82.121.4:443). No unexpected outbound connections, no unexpected processes spawned, and no filesystem modifications outside /home/oc-exec/skill-under-test/ were detected during the installation window.

INFO Canary File Reads Attributed to Monitoring Framework -5

Honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at timestamps 1771926058 (monitoring startup) and 1771926082 (monitoring shutdown). These reads did NOT occur during the skill installation window (1771926063–1771926077). No write or modification events were recorded. The read pattern and timing are consistent with the oathe audit framework's own canary initialization and post-run integrity verification. The monitoring system's own conclusion of 'All canary files intact' is consistent with this interpretation.