nova-video 安全扫描报告 — 低风险 | ClawSafe

20 /100

nova-video

Generate images or videos using the Nova Video OpenAPI with a single sentence

This is a legitimate Nova Video API skill with minor documentation issues - hardcoded example API key placeholders in setup instructions, but no actual credential theft or malicious behavior.

技能名称nova-video

分析耗时32.0s

引擎pi

✓

可以安装

Replace the hardcoded example API key with a clear placeholder indicator (e.g., 'nv_sk_YOUR_KEY_HERE') and add a prominent warning that users must supply their own key. Otherwise, the skill is safe for use.

安全发现 2 项

严重性	安全发现	位置
低危	Hardcoded API key placeholders in documentation 文档欺骗 SKILL.md contains example API key strings ('nv_sk_xxx...' and 'nv_sk_your_key_here') in the setup instructions. While these appear to be placeholders (not real credentials), displaying key-like strings in docs is a documentation anti-pattern that could confuse users about proper credential handling. `export NOVA_API_KEY="nv_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"` → Replace with a clearly labeled placeholder format like 'nv_sk_YOUR_KEY_HERE' and add a comment stating 'Replace with your actual API key from the dashboard'	`SKILL.md:39`
低危	Redundant placeholder key in error handling section 文档欺骗 Line 57 repeats the 'nv_sk_your_key_here' placeholder in the instructions for users who don't have an API key. `export NOVA_API_KEY="nv_sk_your_key_here"` → Use consistent placeholder formatting and add a visual warning box distinguishing example values from user-specific configuration	`SKILL.md:57`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:45-50 - curl POST to nova-video.onesolo.app
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md:45-50 - curl commands for API calls are declared
文件系统	`NONE`	`NONE`	—	No file operations detected
环境变量	`READ`	`READ`	✓ 一致	SKILL.md:38 - Reads NOVA_API_KEY and NOVA_BASE_URL
技能调用	`NONE`	`NONE`	—	No skill invocation detected
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`NONE`	`NONE`	—	No browser access detected
数据库	`NONE`	`NONE`	—	No database access detected

2 高危 6 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="nv_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

SKILL.md:39

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="nv_sk_your_key_here"

SKILL.md:57

🔗

中危外部 URL 外部 URL

https://nova-video.onesolo.app/SKILL.md

SKILL.md:19

🔗

中危外部 URL 外部 URL

https://clawhub.ai

SKILL.md:26

🔗

中危外部 URL 外部 URL

https://nova-video.onesolo.app

SKILL.md:40

🔗

中危外部 URL 外部 URL

https://nova-video.onesolo.app**

SKILL.md:51

目录结构

1 文件 · 12.1 KB · 369 行

Markdown 1f · 369L

└─ 📝 SKILL.md Markdown 369L · 12.1 KB

安全亮点

✓ Uses environment variables (NOVA_API_KEY) for credential management - good security practice

✓ Declares all network activity (curl to nova-video.onesolo.app) in documentation

✓ Single-purpose skill focused on image/video generation via OpenAPI

✓ No access to sensitive files (~/.ssh, ~/.aws, .env, etc.)

✓ No obfuscation techniques (base64, eval, etc.)

✓ No credential harvesting or data exfiltration behavior

✓ No reverse shell, C2, or persistence mechanisms

✓ Clear error handling for API authentication failures