ClawHub

AI media generation- Flux2pro,Google Veo3.1, Suno Ai..

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward VAP media-generation integration, with expected external API use and no hidden local execution or persistence.

Install only if you are comfortable sending media prompts, media URLs, and editing instructions to VAP and its backend providers. Avoid private or sensitive media links, and set VAP_API_KEY only when you want the agent to use your VAP account features, quota, or balance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction block uses very broad trigger phrases like 'create/generate/make an image, video, or music' and 'edit/enhance/modify an existing image or video,' which can cause the skill to activate for common user requests without clear, scoped consent. Because the skill then sends prompts and possibly user-supplied media URLs to an external service, overbroad activation increases the chance of unintended third-party data disclosure or unexpected tool execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description explains that VAP routes requests to multiple backend providers, but it does not give a clear user-facing warning that prompts, media URLs, and editing instructions are transmitted to an external API/provider chain. This creates a privacy and consent risk because users may unknowingly share sensitive prompts or private media references with third parties.

External Transmission

Medium
Category
Data Exfiltration
Content
### Generate Image

```bash
curl -s -X POST https://api.vapagent.com/v3/trial/generate \
  -H "Content-Type: application/json" \
  -d '{"prompt":"PROMPT"}'
```
Confidence
94% confidence
Finding
curl -s -X POST https://api.vapagent.com/v3/trial/generate \ -H "Content-Type: application/json" \ -d '{"prompt":"PROMPT"}' ``` Returns `{"task_id":"UUID","status":"pending","remaining":2}`. ###

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Operation

```bash
curl -s -X POST https://api.vapagent.com/v3/operations \
  -H "Authorization: Bearer $VAP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"operation":"OPERATION","media_url":"URL","prompt":"INSTRUCTION"}'
Confidence
96% confidence
Finding
curl -s -X POST https://api.vapagent.com/v3/operations \ -H "Authorization: Bearer $VAP_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Generate Image

```bash
curl -s -X POST https://api.vapagent.com/v3/trial/generate \
  -H "Content-Type: application/json" \
  -d '{"prompt":"PROMPT"}'
```
Confidence
94% confidence
Finding
https://api.vapagent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Poll Result

```bash
curl -s https://api.vapagent.com/v3/trial/status/TASK_ID
```

Returns `{"status":"completed","image_url":"https://..."}` when done.
Confidence
83% confidence
Finding
https://api.vapagent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Task

```bash
curl -s -X POST https://api.vapagent.com/v3/tasks \
  -H "Authorization: Bearer $VAP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"TYPE","params":{"description":"PROMPT"}}'
Confidence
94% confidence
Finding
https://api.vapagent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Poll Result

```bash
curl -s https://api.vapagent.com/v3/tasks/TASK_ID \
  -H "Authorization: Bearer $VAP_API_KEY"
```
Confidence
80% confidence
Finding
https://api.vapagent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Operation

```bash
curl -s -X POST https://api.vapagent.com/v3/operations \
  -H "Authorization: Bearer $VAP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"operation":"OPERATION","media_url":"URL","prompt":"INSTRUCTION"}'
Confidence
96% confidence
Finding
https://api.vapagent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Poll Operation

```bash
curl -s https://api.vapagent.com/v3/operations/OPERATION_ID \
  -H "Authorization: Bearer $VAP_API_KEY"
```
Confidence
79% confidence
Finding
https://api.vapagent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"type":"music","params":{"description":"Upbeat lo-fi hip hop beat, warm vinyl crackle, chill vibes","duration":120,"instrumental":true,"audio_format":"wav","loudness_preset":"streaming"}}'

# Inpaint (edit an image)
curl -s -X POST https://api.vapagent.com/v3/operations \
  -H "Authorization: Bearer $VAP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"operation":"inpaint","media_url":"https://example.com/photo.jpg","prompt":"Remove the person in the background"}'
Confidence
91% confidence
Finding
https://api.vapagent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"operation":"inpaint","media_url":"https://example.com/photo.jpg","prompt":"Remove the person in the background"}'

# Upscale (4x)
curl -s -X POST https://api.vapagent.com/v3/operations \
  -H "Authorization: Bearer $VAP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"operation":"upscale","media_url":"https://example.com/photo.jpg","options":{"scale":4}}'
Confidence
88% confidence
Finding
https://api.vapagent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"operation":"upscale","media_url":"https://example.com/photo.jpg","options":{"scale":4}}'

# Background Remove
curl -s -X POST https://api.vapagent.com/v3/operations \
  -H "Authorization: Bearer $VAP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"operation":"background_remove","media_url":"https://example.com/photo.jpg"}'
Confidence
88% confidence
Finding
https://api.vapagent.com/

External Transmission

Medium
Category
Data Exfiltration
Content
For content campaigns, use `/v3/execute` to generate multiple assets from one prompt:

```bash
curl -s -X POST https://api.vapagent.com/v3/execute \
  -H "Authorization: Bearer $VAP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"preset":"streaming_campaign","prompt":"PROMPT"}'
Confidence
90% confidence
Finding
https://api.vapagent.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal