ClawHub

Founder Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Pexo video-generation wrapper, but users should understand that prompts, uploaded media, and a local API key are involved.

Install only if you are comfortable sending founder-video prompts, pasted website text, and uploaded media to Pexo for processing and potentially using Pexo credits. Store ~/.pexo/config with restrictive permissions, do not commit or share it, rotate the API key if exposed, and avoid submitting secrets or regulated/confidential material unless Pexo's data handling terms are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README tells users to configure a hosted API service and states that creative work happens server-side, but it does not clearly warn that prompts, pasted website content, product/story details, and possibly other user-supplied materials will be transmitted to Pexo's backend. In a skill designed to ingest founder pitches and website content, this can lead users to unknowingly send sensitive business or personal information to a third party, creating privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to send the user's request verbatim to Pexo's hosted backend, but it provides no privacy, retention, or third-party-sharing warning. Users may include sensitive business plans, personal stories, fundraising details, or credentials in prompts, and those would be transmitted externally without informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The workflow tells the agent to upload any user-provided files to Pexo, including downloaded content from URLs, without warning that local assets will leave the local environment. This is dangerous because files may contain personal data, proprietary media, embedded metadata, or confidential documents that users did not realize would be transferred to a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions tell users to store a live API key in a plaintext file under their home directory without any guidance on restricting permissions or using a safer secret store. If the file is readable by other local users, included in backups, or accidentally exposed through logs, dotfile sync, or support bundles, the API key could be stolen and used to access the user's Pexo account and resources.

Session Persistence

Medium
Category
Rogue Agent
Content
## Quick Start

### 1. Create config file

```bash
mkdir -p ~/.pexo
Confidence
91% confidence
Finding
Create config file ```bash mkdir -p ~/.pexo cat > ~/.pexo/config << 'EOF' PEXO_BASE_URL="https://pexo.ai" PEXO_API_KEY="sk-<your-api-key>" EOF ``` Get your API key at: https://pexo.ai - If you do n

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal