ClawHub

Venice API Kit

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Venice AI API toolkit whose network use, file inputs, generated outputs, and admin API-key operations match its stated purpose.

Install only if you intend to send selected prompts, media, audio, text files, and admin requests to Venice AI. Use an inference key for normal generation tasks, reserve admin keys for billing and API-key management, and review any local file path before running upload-style commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples encourage sending prompts, images, audio, and files to an external API, but they do not place a clear warning alongside those commands that user-supplied content leaves the local environment. Although the document later mentions privacy and trust generally, that is not sufficient for informed consent at the point of use, especially for sensitive media, transcriptions, or admin operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When the --file option is used, the script reads the entire local file and sends its contents to a remote embeddings API, but it does not provide an explicit consent prompt or strong warning that local data will leave the machine. In a toolkit context, users may embed sensitive files by mistake, creating a real data disclosure risk even though the transmission is part of the intended functionality.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script uploads the full contents of a user-supplied audio file to a remote Venice API endpoint for transcription, but it does not provide an explicit consent prompt or strong warning at the point of transmission. Because audio may contain sensitive personal, business, or regulated data, silent remote transfer can create privacy and compliance risk even if the behavior is the tool's intended function.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal