ClawHub

Explainer Video Maker

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for Pexo's hosted video service, but users should protect the API key and understand that prompts and uploaded media are sent to Pexo.

Install only if you are comfortable using Pexo's hosted service. Treat ~/.pexo/config as a secret file, restrict its permissions, do not commit or share it, and rotate the API key if it may have been exposed. Do not upload confidential prompts, images, audio, or videos unless Pexo's handling of that data is acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README tells users to place a live API key in a local config file but provides no guidance on protecting that file, avoiding commits, or using least-privilege secret handling. This can lead to accidental exposure through source control, shared home directories, logs, backups, or screenshots, resulting in unauthorized use of the Pexo account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to send the user's request verbatim and upload provided files to Pexo's hosted backend, but it does not clearly warn users about this third-party data transfer. Users may disclose sensitive text, media, or embedded metadata without understanding that the content leaves the local environment and is processed remotely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions tell users to persist a live API key in a plaintext file under the home directory without warning about credential sensitivity, file permissions, or safer secret-handling options. If the host is multi-user, backed up, inspected by other tools, or the home directory is exposed, the key can be recovered and used to access the Pexo account and API resources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically sources $HOME/.pexo/config as shell code, which means any commands present in that file execute immediately with the privileges of the running agent. Because this is code execution rather than simple key-value parsing, a malicious or tampered config file can run arbitrary commands, steal credentials, or alter subsequent API behavior.

Session Persistence

Medium
Category
Rogue Agent
Content
## Quick Start

### 1. Create config file

```bash
mkdir -p ~/.pexo
Confidence
90% confidence
Finding
Create config file ```bash mkdir -p ~/.pexo cat > ~/.pexo/config << 'EOF' PEXO_BASE_URL="https://pexo.ai" PEXO_API_KEY="sk-<your-api-key>" EOF ``` Get your API key at: https://pexo.ai - If you do n

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal