ClawHub

Yollomi AI Image & Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Yollomi image and video API wrapper, with expected API-key and network use but some privacy and cost details users should notice.

Install only if you are comfortable sending generation prompts, image URLs, and image/video inputs to Yollomi or the configured YOLLOMI_BASE_URL. Keep YOLLOMI_API_KEY private, avoid untrusted base URL overrides, and confirm model and output count because some video and multi-output requests can consume substantial credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill metadata declares only an environment-variable requirement, but the documented behavior clearly uses outbound network access and shell-based curl examples. This mismatch reduces transparency and can bypass user or platform expectations about what capabilities the skill will exercise, especially when handling API keys and external requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented as an AI image generator, but the content also supports video generation and model enumeration. This description-behavior mismatch can cause users to authorize a narrower function than the skill actually performs, increasing the risk of unintended data sharing, cost consumption, or policy bypass.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README tells users to configure an API key and use a unified generation endpoint, but it does not disclose that prompts and potentially user-supplied source images or video inputs will be transmitted to a third-party Yollomi service. This creates a real transparency and privacy risk because users may send sensitive content to an external processor without informed consent, which is especially relevant for image-to-image and video workflows where uploaded media may contain personal or proprietary data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documentation does not clearly warn that prompts and image URLs are transmitted to a third-party API. Users may unknowingly send sensitive text, internal URLs, or private image locations to an external service, creating confidentiality and privacy risks.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The skill requires a sensitive API key but does not provide guidance on secure credential handling. Without warnings, users may place keys in insecure contexts, log them accidentally, or expose them through shell history or shared environments.

VirusTotal

39/39 vendors flagged this skill as clean.

View on VirusTotal