ClawHub

Grok Imagine API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PoYo video-generation helper that uses a PoYo API key and sends user prompts or image URLs to PoYo, with credential and privacy hygiene caveats.

Install only if you trust PoYo with the prompts, image URLs, callback metadata, and generated-media workflow you submit. Set POYO_API_KEY through the environment or a secret manager rather than passing it on the command line, and only configure callback_url values that point to HTTPS endpoints you control or trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares the need for shell execution via `curl` in metadata and references a shell script, but no explicit permissions are declared in the skill file. That mismatch can cause the agent runtime or reviewer to underestimate the skill's operational capabilities, increasing the chance of unsanctioned command execution or secret handling through shell tooling.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The reference instructs users to send API keys and use an external service without any warning about credential handling, data sharing, or safe storage. In a skill context, this omission can lead operators to paste secrets insecurely, expose them in logs, or transmit sensitive prompts and media to a third-party processor without understanding the privacy implications.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The callback documentation describes POSTing task results to a user-supplied URL but does not warn about the risks of sending task data to external endpoints. This can cause unintended disclosure of generated content, metadata, or identifiers, and may encourage unsafe webhook configurations without authentication, signature verification, or HTTPS-only handling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script accepts the API key as a positional command-line argument, which can expose the secret through shell history, process listings, audit logs, and CI job output. This is a real credential-handling weakness even though the script also supports using an environment variable.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal