ClawHub

Product Video Maker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Pexo product-video wrapper that sends user media and prompts to Pexo using an API key, with privacy and key-handling precautions users should understand.

Install only if you are comfortable sending product photos, downloaded URL content, prompts, and project metadata to Pexo's hosted service. Treat the Pexo API key as a secret, restrict ~/.pexo/config permissions, avoid submitting confidential or regulated media unless your policy allows it, and remember that generating videos may consume Pexo credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that uploaded product photos and generated content are processed by a hosted backend, but it does not clearly warn users that their data will be transmitted to an external third-party service for server-side handling. In an agent-skill context, users may assume local processing unless explicitly told otherwise, creating privacy, data-governance, and consent risks for potentially sensitive product assets or unreleased marketing materials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to upload user-provided files and send the user's request verbatim to Pexo's hosted backend, but it does not require an explicit notice or consent step about external transmission. Users may unknowingly send product images, metadata, or sensitive business information to a third party, creating privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions direct users to store a live API key in a plaintext file under their home directory without any warning about file permissions, secret handling, or local exposure risks. If the workstation is shared, backed up insecurely, indexed, or the file is created with permissive permissions, the credential could be disclosed and used to access the Pexo account and API resources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently loads an API key from the user's home-directory config and makes it available to all calling scripts without an explicit consent boundary at point of use. In an agent context, this increases the chance that a later action transmits authenticated requests on the user's behalf without clear awareness or scoping.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This helper performs arbitrary authenticated HTTP requests to the configured remote service and accepts caller-supplied method, path, body, and extra curl arguments. In an agent skill, that creates a meaningful risk of silent external transmission of user data or unintended privileged API actions using the stored bearer token.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The SSE helper issues authenticated POST requests and can transmit request bodies to the remote service without any inline warning or user confirmation. Because POST is state-changing and the bearer token is automatically attached, misuse by higher-level scripts could trigger remote actions or data uploads without sufficiently transparent consent.

Session Persistence

Medium
Category
Rogue Agent
Content
## Quick Start

### 1. Create config file

```bash
mkdir -p ~/.pexo
Confidence
90% confidence
Finding
Create config file ```bash mkdir -p ~/.pexo cat > ~/.pexo/config << 'EOF' PEXO_BASE_URL="https://pexo.ai" PEXO_API_KEY="sk-<your-api-key>" EOF ``` Get your API key at: https://pexo.ai - If you do n

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal