ClawHub

Influencer

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it needs review because it helps create monetized synthetic influencers and includes guidance for making AI media less detectable.

Install only if you intend to create clearly disclosed fictional AI personas. Do not follow the detection-evasion advice, use only fully generated, licensed, or explicitly consented voices and likenesses, keep API keys and persona folders private, and require explicit human approval before posting content, contacting brands, signing contracts, or handling payments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The section explicitly teaches users how to make AI-generated images harder to detect, which facilitates deception of audiences, platforms, advertisers, and moderation systems. In the context of a virtual influencer skill, this goes beyond image quality guidance and becomes operational advice for concealing synthetic origin.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The 'Avoiding Detection' section explicitly provides tactics to make AI-generated influencer content appear more human and less detectable, including adding imperfections and fabricated 'behind the scenes' material. In the context of influencer operations, this materially enables deceptive impersonation and undisclosed synthetic media, increasing the risk of fraud, manipulation, and platform-policy evasion.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are extremely broad and map common requests like creating content, videos, captions, or performance summaries directly into powerful influencer-generation workflows. This can cause unintended activation in unrelated conversations and, in this skill, may initiate privacy-sensitive or deceptive media generation without sufficient user intent verification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports voice and audio workflows including TTS and voice cloning, but provides no warning, consent requirement, or identity-verification safeguard. In this context, omission is dangerous because cloned voices can impersonate real people, facilitate fraud, or create non-consensual synthetic media.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill recommends face-swap on real footage and identity-manipulation video generation techniques without any disclosure, consent, or abuse-prevention controls. In a virtual influencer skill, this materially increases the risk of deceptive content, non-consensual likeness use, and deepfake-style impersonation at scale.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document provides deceptive image-generation tactics without any warning about authenticity, disclosure, consent, or misuse. Because the skill is about creating monetizable virtual influencers, this omission increases the likelihood of intentional impersonation, misleading advertising, or undisclosed synthetic personas.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The face-swap section recommends tools and use cases without any mention of consent, rights of publicity, or impersonation risks. Face-swapping is highly abuse-prone and, in this context, can enable non-consensual likeness use or deceptive content creation that appears to depict a real person.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The guidance for Twitter/X says to disclose AI content only 'if asked,' which encourages inconsistent disclosure and may mislead audiences about the synthetic nature of the persona. In a skill specifically designed to create and scale virtual influencers, this is more dangerous because it operationalizes deceptive posting practices across public platforms and can increase policy, reputational, and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The voice-cloning instructions tell users to record 'any voice that fits persona' and reuse the cloned output without any consent, licensing, or identity-safety safeguards. This lowers the barrier to unauthorized voice replication, impersonation, privacy violations, and fraud, especially in a skill centered on scalable influencer production.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guidance endorses face-swap post-production and generated 'candid' content without discussing consent, disclosure, or misuse constraints. In an influencer-creation context, these techniques can be used to fabricate realistic depictions of a person in situations that never occurred, creating significant risks of deception, privacy harm, and reputational abuse.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill gives step-by-step voice cloning instructions without any safeguards about informed consent, impersonation, biometric privacy, or compliance with platform and jurisdictional rules. In the context of an influencer-generation skill, this materially increases the risk of deceptive identity mimicry, fraud, and misuse of a person's voice as a biometric identifier.

Ssd 4

Medium
Confidence
95% confidence
Finding
The overall workflow normalizes generating, quality-checking, organizing, and publishing synthetic influencer imagery, culminating in instructions to avoid recognition as AI-generated. This combination creates a practical playbook for scalable deceptive media operations, which is more dangerous given the skill's monetization-oriented context.

Ssd 4

Medium
Confidence
97% confidence
Finding
This narrative guidance goes beyond general production advice and specifically steers creators toward making synthetic influencer content look authentically human and less machine-generated. Because the skill is about creating and scaling virtual influencers, the surrounding context amplifies the danger: it operationalizes deceptive presentation at scale for audience manipulation and policy evasion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal