ClawHub

VEED UGC

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward ComfyDeploy client for generating lip-synced promotional videos from a user-chosen image and script, with expected but privacy-relevant remote upload behavior.

Install only if you are comfortable providing a ComfyDeploy API key and sending the selected image, image URL, dialogue script, and voice ID to ComfyDeploy for processing. Do not pass sensitive local files as --image, and avoid private likenesses, confidential marketing copy, or images of people without appropriate permission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes use of environment-backed authentication and outbound network access to a third-party API, but no permissions are declared. This creates a transparency and governance gap: operators may run the skill without realizing it needs secrets and external connectivity, increasing the risk of unintended secret exposure or policy bypass.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When a local image path is provided, the script silently uploads that file to a third-party API. This is a real privacy/security issue because users may assume local processing and may not realize personal images or product photos are being transmitted off-device to an external service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The provided script text is sent to the remote API as part of the queued job, but the interface does not clearly warn users that their text leaves the local environment. If the dialogue contains unreleased marketing copy, personal data, or sensitive business content, this creates an avoidable data exposure risk.

External Transmission

Medium
Category
Data Exfiltration
Content
## Direct API Call

```javascript
const response = await fetch("https://api.comfydeploy.com/api/run/deployment/queue", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
95% confidence
Finding
fetch("https://api.comfydeploy.com/api/run/deployment/queue", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
## API Details

**Endpoint:** `https://api.comfydeploy.com/api/run/deployment/queue`
**Deployment ID:** `627c8fb5-1285-4074-a17c-ae54f8a5b5c6`

## Required Inputs
Confidence
94% confidence
Finding
https://api.comfydeploy.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Direct API Call

```javascript
const response = await fetch("https://api.comfydeploy.com/api/run/deployment/queue", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
95% confidence
Finding
https://api.comfydeploy.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal