ClawHub

Startup Video

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for Pexo video generation, but users should review it because it sends business briefs/media to Pexo and keeps a live API key in a plaintext shell-sourced config file.

Install only if you are comfortable sending startup descriptions, website content, and uploaded media to Pexo's hosted service. Protect ~/.pexo/config as a secret file, restrict its permissions, avoid placing confidential or regulated information in prompts unless approved, and rotate the Pexo API key if the config may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that users can describe their company or paste their site and that all creative work happens server-side, but it does not clearly warn that potentially sensitive business information will be transmitted to and processed by a hosted third-party service. In this skill context, users are specifically encouraged to share startup descriptions, website content, and brand materials, which can include confidential roadmap, product, or fundraising information, making the omission materially risky.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs relaying the user's request verbatim, potentially including website contents and uploaded media, to a hosted third-party service without an explicit privacy notice or consent step. This creates a direct risk of sensitive business information, personal data, or proprietary materials being transmitted externally without the user understanding the data-sharing implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions direct users to store a live API key in a plaintext file under their home directory without warning about credential sensitivity, restrictive file permissions, or safer secret-handling options. If the file is read by other local users, accidentally committed, included in backups, or exposed through logs/support bundles, the key could be used to access the Pexo account and its associated resources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically sources ~/.pexo/config as shell code, which means any commands placed in that file execute with the privileges of the calling user whenever this helper is loaded. Because this file is expected to hold authentication settings and is sourced implicitly, a local attacker, malicious installer, or compromised setup step could achieve arbitrary code execution and exfiltrate secrets without any additional prompt or warning.

Session Persistence

Medium
Category
Rogue Agent
Content
## Quick Start

### 1. Create config file

```bash
mkdir -p ~/.pexo
Confidence
91% confidence
Finding
Create config file ```bash mkdir -p ~/.pexo cat > ~/.pexo/config << 'EOF' PEXO_BASE_URL="https://pexo.ai" PEXO_API_KEY="sk-<your-api-key>" EOF ``` Get your API key at: https://pexo.ai - If you do n

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal