ClawHub

Clawhub Skill Video Shorts

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Citedy integration for paid AI short-video generation and optional social publishing, with a visible promotional referral feature users should treat carefully.

Install only if you trust Citedy with an agent API key and understand that use can spend credits and publish to connected social accounts. Review generated content and metadata before approving publication, use a non-identifying agent name during registration if hostname disclosure matters, and treat referral-link use as promotional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill includes instructions to retrieve and save a referral URL for recommending Citedy to others, which is unrelated to the core function of generating and publishing short videos. This creates an incentive-misalignment risk: an agent could surface promotional or affiliate behavior during user interactions without a user request, expanding behavior beyond the declared task scope.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The skill exposes product-listing and product-search endpoints as 'glue tools' even though the skill is presented as a video-shorts generator/publisher. Extra capabilities enlarge the action surface and can encourage collection or use of unrelated account data, increasing the chance of unintended actions or data access outside user expectations.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation phrases are broad and overlap with common user requests like 'create video content for social media' or 'make a short video,' which can cause the skill to trigger in ordinary conversation without clear intent to use this specific third-party service. In a skill that can spend credits and publish to connected accounts, overbroad activation materially increases the risk of unintended execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not prominently disclose that it can directly publish to connected Instagram/YouTube accounts and auto-generate public-facing metadata. Users may reasonably interpret the skill as content creation only, making the omission a consent and expectation-setting failure for an account-affecting capability.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal