ClawHub

Phaya Media API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only helper for using a paid external Phaya media API, with sensitive costs and data-sharing risks that are mostly disclosed.

Install only if you intend to use Phaya as a paid external service. Treat PHAYA_API_KEY as sensitive, prefer a scoped or low-balance key, check credit costs before video jobs, and avoid sending confidential prompts, files, media URLs, or chat content unless Phaya and its downstream providers meet your privacy requirements. Avoid video downloading and credit-cache invalidation unless the user explicitly asks for those actions and they are permitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented user/account endpoints expose account profile, credit balance/history, and a cache-invalidation operation that are outside the skill’s stated purpose of media generation and chat completions. This expands the skill’s effective capability surface and can enable unnecessary access to billing/account metadata or operational actions users did not expect from the manifest description.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill documents generic video download, media upload, and FFmpeg utility endpoints that materially exceed the advertised scope of generating media and running chat completions. Hidden or under-declared file handling and download functionality increases the risk of data exfiltration, copyright/policy abuse, and unsafe processing of arbitrary remote content.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
External platform video downloading is not clearly necessary for a media-generation/chat skill and introduces a capability to fetch third-party content on behalf of the user. That can be abused for policy-violating downloads, retrieval of untrusted content, or movement of data through the service in ways users and integrators may not anticipate.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The reference states that user prompts, media URLs, and generated content may be processed by multiple third-party providers, but it does not warn users about privacy, retention, or cross-provider data sharing implications. In a skill handling arbitrary prompts and uploaded media, this omission can lead to inadvertent disclosure of sensitive content to external services.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal