ClawHub

Seedance 2.0 Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PoYo video-generation integration, with normal external API and API-key use for that purpose.

Install only if you are comfortable sending generation prompts, image URLs, job settings, task IDs, and optional webhook notifications to PoYo. Prefer setting POYO_API_KEY as an environment variable instead of passing it on the command line, and avoid using sensitive prompts or private image URLs unless PoYo's privacy and retention terms fit your needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to send Bearer-authenticated JSON to an external API but does not warn users that prompts, images, and possibly callback metadata will be transmitted to a third party. In an agent setting, this omission can cause unintentional disclosure of sensitive user content to an external service.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill requires `POYO_API_KEY` but provides no handling guidance or warning about credential sensitivity. Without explicit safeguards, users or downstream tooling may expose the key in logs, prompts, shell history, or shared payload examples.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation encourages use of a `callback_url` webhook but does not warn that prompts, task identifiers, status, and potentially other job metadata will be sent to the specified third-party endpoint. In a skill context, users may supply callback destinations they do not control or may not realize that sensitive creative inputs and metadata are being forwarded off-platform.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal