ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vex Wet Doggy Pussy Gen

v1.0.1

Generate artistic NSFW images of Vex intimate areas (memek wet doggy, closeup pussy, boudoir poses) using each::sense API with safety off. Triggers on reques...

0· 39·0 current·0 all-time
by@salmanhabibiex13
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes generating NSFW images via the each::sense API and references a bundled PowerShell script that performs the API calls, but the package contains no script or code files. The skill also does not declare any required API key environment variables even though the instructions clearly depend on an API key — this is incoherent and disproportionate to the stated (single-purpose) functionality.
!
Instruction Scope
Runtime instructions tell the agent to run a PowerShell script (scripts/gen-vex-memek.ps1) that calls an external endpoint with 'safety=false' and to write image files to media/vex-*.jpg. The referenced script is not included in the bundle, and the instructions embed a plaintext API key and explicit guidance to disable safety — both enlarge the attack/safety surface and violate expected scope/least-privilege practices.
Install Mechanism
No install spec is present (instruction-only), which minimizes on-disk install risk. However, the skill's runtime behavior depends on network calls to an external API, which may transmit prompts and generated images off-device.
!
Credentials
The skill declares no required env vars or primary credential, yet the documentation contains a hardcoded-looking API key (MP1019K9NB6S3BK5YPT3YC4PZJ6FIXN3WWP7) and instructs updating that key in the script. Hardcoding credentials in a SKILL.md is inappropriate and exposes secrets; requiring no declared credential while depending on one is inconsistent.
Persistence & Privilege
The skill does not request always:true or other elevated persistence, and it does not declare system-wide config changes. Its privileges are limited to runtime network calls and file writes described in the instructions.
What to consider before installing
Do not install this skill as-is. The bundle is missing the referenced script and contains a plaintext API key and explicit instruction to disable safety — both are red flags. Ask the publisher for: (1) the actual script files (or remove the claim of a bundled script), (2) removal of any hardcoded credentials and a design that requires the API key to be supplied via a declared environment variable (primaryEnv), (3) justification for disabling safety and confirmation you are allowed to generate the requested imagery (especially if 'Vex' refers to a real person), and (4) a provenance/origin for the skill (homepage, author contact). If you proceed, ensure secrets are rotated (the embedded key should be considered compromised), and be mindful of legal and ethical risks around generating sexual images of named individuals and disabled safety filters.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dy69gjarkz2697yy40rw22n843ac8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments