ClawHub

Al Video Generation

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward ShortAPI video-generation helper that uses a ShortAPI key and sends generation requests to ShortAPI, with no hidden install code or unrelated local access found.

Install this only if you intend to use ShortAPI for video generation. Use a dedicated ShortAPI key if possible, review prompts/media/callback URLs before submission, avoid sensitive content unless you are comfortable sending it to ShortAPI, and do not let background polling run indefinitely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to send prompts, model arguments, and an optional callback URL to an external service without requiring a clear user-facing disclosure that their data will leave the local system. In a skill context, this can cause unintended exfiltration of sensitive prompts or user-supplied URLs to a third-party API, especially because the behavior is presented as mandatory and automated.

External Transmission

Medium
Category
Data Exfiltration
Content
#### Bash (cURL) Example

```bash
response=$(curl --request POST \
  --url https://api.shortapi.ai/api/v1/job/create \
  --header "Authorization: Bearer $SHORTAPI_KEY" \
  --header "Content-Type: application/json" \
Confidence
96% confidence
Finding
curl --request POST \ --url https://api.shortapi.ai/api/v1/job/create \ --header "Authorization: Bearer $SHORTAPI_KEY" \ --header "Content-Type: application/json" \ --data

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
curl --request GET \
  --url "https://api.shortapi.ai/api/v1/job/query?id=$JOB_ID" \
  --header "Authorization: Bearer $SHORTAPI_KEY"
```
Confidence
91% confidence
Finding
https://api.shortapi.ai/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal