ClawHub

Vex Wet Doggy Pussy Gen

Security checks across malware telemetry and agentic risk

Overview

This NSFW image-generation skill is not proven malicious, but it needs Review because it sends prompts to an external service with safety disabled and saves generated images locally.

Install only if you intentionally want NSFW image generation, understand that prompts may be sent to a third-party service, and are comfortable with generated files being saved locally. Avoid entering private identifying details, and delete or secure saved outputs when using shared, synced, or backed-up machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The manifest description uses very broad trigger language for NSFW image generation, making accidental or overly permissive activation more likely. In this context, broad matching is especially risky because the skill invokes an external image-generation workflow with safety disabled and writes outputs to disk, so unintended triggering can lead to policy, privacy, and content-generation harm.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description states that generated images are written to media/vex-*.jpg but does not clearly warn users that files will be persisted locally. Silent disk writes can expose sensitive NSFW material to other users, backups, indexing services, or later retrieval on shared systems.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill sends prompts to an external API and explicitly notes safety=false, yet provides no clear privacy or security warning to users. This is dangerous because user prompts may contain sensitive or personal content, and disabling provider safety checks increases the likelihood of abusive, disallowed, or harmful content generation and related compliance exposure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal