ClawHub

Veevid AI Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Veevid video-generation helper that uses a local API key and sends chosen prompts or images to Veevid after confirmation.

Install only if you are comfortable giving your agent access to a Veevid API key, sending selected prompts/images to Veevid, and spending Veevid credits after confirmation. Protect the API key file, rotate it if exposed, and in Discord/group chats be aware the skill may read a few recent messages and post a quoted image confirmation to identify the right attachment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to read recent Discord messages and send confirmation messages, which expands its capabilities from video generation into chat surveillance and message operations. Even though it tries to limit selection to the requesting user's attachments, this still grants access to broader channel context and creates unnecessary exposure of message metadata and content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README tells users to write a live API key directly to a local file path but does not warn that the key is sensitive, should be protected with restrictive file permissions, and must not be committed, shared, or logged. In an agent/automation context, users may follow this verbatim on multi-user systems or in synced home directories, increasing the chance of credential disclosure and unauthorized API usage.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad enough to match common conversational requests such as asking about pricing, available models, or generating a generic video, which can cause the skill to activate unexpectedly. Over-broad invocation increases the chance that the skill performs external API actions or accesses local/API-backed resources in contexts where the user did not clearly intend to use this specific third-party integration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal