ClawHub

Short-Form Market Research Brain

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Virlo API research skill, but users should understand it sends requests to Virlo, uses an API key, can spend prepaid credits, and can create recurring monitoring jobs.

Install only if you intend to use Virlo and are comfortable storing a Virlo API key in the skill configuration. Ask the agent to confirm before paid requests, optional add-ons, or recurring monitoring, and review or stop active tracking jobs so they do not keep consuming prepaid balance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (15)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill clearly instructs the agent to send user-supplied research queries and the user's account-linked API key to Virlo's external service, but it does not explicitly warn users that their prompts and resulting usage metadata leave the local environment. This creates a transparency and privacy-consent issue because users may disclose sensitive market, customer, or competitive information without realizing it is transmitted to a third party.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill promotes recurring monitoring and tracking features that continue collecting data and can incur ongoing charges, but it does not present a clear user warning about persistent activity and continuing spend before such workflows are set up. That omission can lead to unintended billing and longer-term third-party data collection beyond the user's immediate request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs sending creator identifiers and an API bearer token to a third-party service without any user-facing disclosure or consent step. While this is core to the skill's functionality, the lack of transparency about external transmission of account-linked data can cause users to unknowingly share data with an outside processor.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The optional outlier analysis submits a TikTok video URL to an external API without warning the user that content metadata will be shared with Virlo. Even if the URL is public, sending it to a third party may have privacy, compliance, or data-governance implications that the current skill does not disclose.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example initiates recurring creator tracking and automatic AI report generation, including an immediate first cycle and ongoing billed cycles, but does not present an explicit user-facing warning or confirmation step before external collection begins. This can cause unintended monitoring of third-party accounts and unexpected charges, especially if an agent executes the workflow directly from a natural-language request.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example instructs the agent or user to send an authenticated bearer token to an external API without any warning that credentials will be transmitted off-platform. In a skill context, this can lead to uninformed secret disclosure and automatic execution of privileged API calls, especially if users assume examples are informational rather than operational.

External Transmission

Medium
Category
Data Exfiltration
Content
1. Start creator lookup:
```bash
curl "https://api.virlo.ai/v1/satellite/creator/tiktok/hatimsshorts?include=videos,outliers&max_videos=20" \
  -H "Authorization: Bearer {api_key}"
```
Confidence
82% confidence
Finding
curl "https://api.virlo.ai/v1/satellite/creator/tiktok/hatimsshorts?include=videos,outliers&max_videos=20" \ -H "Authorization: Bearer {api_key}" ``` 2. Poll every 10-15 seconds until completed: ``

External Transmission

Medium
Category
Data Exfiltration
Content
1. Start creator lookup:
```bash
curl "https://api.virlo.ai/v1/satellite/creator/tiktok/hatimsshorts?include=videos,outliers&max_videos=20" \
  -H "Authorization: Bearer {api_key}"
```
Confidence
82% confidence
Finding
https://api.virlo.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
2. Poll every 10-15 seconds until completed:
```bash
curl "https://api.virlo.ai/v1/satellite/creator/status/{job_id}" \
  -H "Authorization: Bearer {api_key}"
```
Confidence
80% confidence
Finding
https://api.virlo.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
5. Optionally analyze the top outlier video:
```bash
curl -X POST https://api.virlo.ai/v1/satellite/video-outlier \
  -H "Authorization: Bearer {api_key}" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://www.tiktok.com/@hatimsshorts/video/7618009747375017219", "platform": "tiktok"}'
Confidence
89% confidence
Finding
https://api.virlo.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
1. Start tracking the creator (initial cycle starts immediately):
```bash
curl -X POST https://api.virlo.ai/v1/tracking/creators \
  -H "Authorization: Bearer {api_key}" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
curl -X POST https://api.virlo.ai/v1/tracking/creators \ -H "Authorization: Bearer {api_key}" \ -H "Content-Type: application/json" \ -d '{ "platform": "tiktok", "handle": "khaby.lame",

External Transmission

Medium
Category
Data Exfiltration
Content
1. Start tracking the creator (initial cycle starts immediately):
```bash
curl -X POST https://api.virlo.ai/v1/tracking/creators \
  -H "Authorization: Bearer {api_key}" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
https://api.virlo.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
1. Create Comet configuration:
```bash
curl -X POST https://api.virlo.ai/v1/comet \
  -H "Authorization: Bearer {api_key}" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
82% confidence
Finding
curl -X POST https://api.virlo.ai/v1/comet \ -H "Authorization: Bearer {api_key}" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
1. Create Comet configuration:
```bash
curl -X POST https://api.virlo.ai/v1/comet \
  -H "Authorization: Bearer {api_key}" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
82% confidence
Finding
https://api.virlo.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
3. To check results after a run:
```bash
curl "https://api.virlo.ai/v1/comet/{comet_id}/videos?limit=20&order_by=views&sort=desc" \
  -H "Authorization: Bearer {api_key}"
```
Confidence
80% confidence
Finding
https://api.virlo.ai/

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal