ClawHub

Varg Ai

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a legitimate paid media-generation integration, but it has review-worthy credential exposure and unpinned self-update behavior before use.

Install only if you trust Varg with media prompts, uploaded files, generated outputs, and any BYOK provider keys. Use a dedicated low-balance Varg key, do not let the agent print or paste raw secrets, avoid the unpinned update step unless you re-review the updated skill, confirm every paid render or credit package, and do not upload private photos or confidential project code unless public URLs and remote caching are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to initiate billing by creating a Stripe checkout session, which expands the skill from media generation into financial workflow handling. That increases risk because the agent can steer purchases, handle payment links, and trigger monetization actions that are not strictly necessary to fulfill a rendering request.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill asks the agent to collect an email address and a one-time passcode, then exchange them for long-lived API credentials. This is sensitive authentication handling beyond the core media-generation scope and creates account-takeover and secret-exposure risk if the agent mishandles the OTP response or stored credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to place provider API keys in HTTP headers and JSON request bodies sent to a third-party gateway, but it does not clearly warn about the sensitivity of those credentials or the risk of accidental exposure via shell history, logs, proxies, debugging tools, or CI output. Although transmitting secrets to the intended service is necessary for BYOK operation, the lack of handling guidance makes this a real security documentation weakness rather than a purely benign example.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly instructs users to send locally authored TSX code and an API bearer token to a third-party cloud render service, but it does not clearly warn that prompts, embedded content, and referenced asset URLs leave the local environment. In a skill intended for media generation this transmission is expected, but the lack of a prominent disclosure can lead users to unknowingly upload sensitive content or use production credentials in contexts they did not intend.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that uploaded files are returned as a public URL, but it does not warn users that any uploaded content may become publicly accessible. This creates a real data exposure risk if users upload sensitive media, credentials, proprietary assets, or personal information under the assumption that uploads are private.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This guidance encourages use of recipient reference photos and hosting them at a public S3 URL without any privacy warning, access-control guidance, consent requirements, or retention limits. In a media-generation skill, that can lead users to expose personal images and biometric data in publicly accessible locations, creating privacy, unauthorized access, and downstream misuse risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation tells users to read a local TSX file and POST its full contents to a remote render service, but it does not explicitly warn that project code and embedded data will leave the local environment. In a skill context, users may copy these commands into sensitive repositories or include secrets, proprietary prompts, or internal asset references in the submitted file without realizing they are being transmitted off-host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When saved credentials are found, the setup script silently exports the stored API key and immediately sends it to api.varg.ai to validate the account balance. This is a real privacy/security concern because running a local setup check causes credential use and external network transmission without an explicit opt-in or prominent disclosure at the point of use.

External Transmission

Medium
Category
Data Exfiltration
Content
TEMPLATE

# Submit to render service (requires jq)
JOB_ID=$(curl -s -X POST https://render.varg.ai/api/render \
  -H "Authorization: Bearer $VARG_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"code\": $(cat video.tsx | jq -Rs .)}" \
Confidence
95% confidence
Finding
curl -s -X POST https://render.varg.ai/api/render \ -H "Authorization: Bearer $VARG_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Read TSX and escape it for JSON (no jq needed)
CODE=$(sed 's/\\/\\\\/g; s/"/\\"/g; s/$/\\n/' video.tsx | tr -d '\n' | sed 's/\\n$//')

RESPONSE=$(curl -s -X POST https://render.varg.ai/api/render \
  -H "Authorization: Bearer $VARG_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"code\": \"$CODE\"}")
Confidence
95% confidence
Finding
curl -s -X POST https://render.varg.ai/api/render \ -H "Authorization: Bearer $VARG_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
);
TEMPLATE

curl -s -X POST https://render.varg.ai/api/render \
  -H "Authorization: Bearer $VARG_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"code\": $(cat talking-head.tsx | jq -Rs .)}"
Confidence
94% confidence
Finding
curl -s -X POST https://render.varg.ai/api/render \ -H "Authorization: Bearer $VARG_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal