ClawHub

vargai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Varg media-generation skill that uses expected API keys, cloud/local render commands, and remote media services, with some privacy and credential-handling cautions for users.

Install only if you trust Varg with your prompts, source templates, media inputs, generated outputs, and API keys. Keep .env files out of source control, review curl/bun commands before running them, prefer preview mode before paid renders, avoid uploading sensitive or non-consensual personal photos, and treat returned S3/output URLs as potentially shareable unless Varg documents otherwise.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to access environment variables, make outbound network requests, and execute shell commands, but it does not declare corresponding permissions. That mismatch weakens policy enforcement and informed consent, because a caller may invoke a skill that can exfiltrate secrets or run local commands without those capabilities being explicitly surfaced.

Tp4

High
Category
MCP Tool Poisoning
Confidence
75% confidence
Finding
The documented behavior extends beyond simple media generation into project inspection, local environment detection, shell-based setup, and use of multiple external providers. This expands the attack surface and can cause the agent to access local files or credentials in ways users would not reasonably expect from the stated description.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and overlap with ordinary user intents like creating a video, generating an image, or text-to-speech. Overbroad triggers increase the chance of accidental invocation, which is more dangerous here because the skill can lead to shell execution, environment access, and external API calls using sensitive keys.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to store sensitive API keys in a local `.env` file but does not warn them to keep that file out of source control, restrict file permissions, or use secret-management practices. This omission can lead to accidental credential disclosure through git commits, shared archives, CI logs, or improperly secured developer machines.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly instructs users to send their TSX code and bearer API key to a remote render service, but it does not clearly warn that prompts, code, and generated assets leave the local environment and are processed server-side. In a skill that may be used with sensitive creative inputs or proprietary media workflows, this omission can lead users to disclose confidential data without informed consent.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The workflow tells users to consume `output_url` and intermediate `files` URLs but does not warn that generated media and metadata may be stored remotely and potentially accessible via shared links or provider-managed storage. This is primarily a transparency/privacy weakness rather than direct code execution, but it can expose sensitive generated content or prompts if users assume outputs are ephemeral or private by default.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that uploaded files return a public URL but does not prominently warn that uploaded content becomes publicly accessible. Users may unknowingly upload sensitive media, credentials, or proprietary assets and expose them to anyone with the URL, creating confidentiality and privacy risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The BYOK section instructs users to transmit third-party provider API keys via headers without clear guidance on secure handling, storage, logging, or scope limitation. This increases the chance that users will paste sensitive keys into insecure contexts, shell history, proxies, logs, or client-side code, leading to credential compromise across external providers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The render API documentation says the user's API key is automatically used for downstream AI generation calls but does not clearly warn that submitted code, prompts, and assets may be sent to third-party providers under that authority. This can surprise users and cause unintended disclosure of sensitive content or unanticipated billing/provider usage.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The manual setup example instructs users to append an API key directly into `.env` without any warning about protecting that file. In isolation this is common developer practice, but in documentation it can normalize unsafe secret handling and increase the chance that credentials are later committed, copied into logs, or left in shared environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The recipe instructs users to upload recipient reference photos to S3 and use them in personalized video generation, but it provides no privacy notice, consent guidance, retention limits, or handling requirements for biometric/personal data. Because this skill is specifically designed to process identifiable images of real people, the omission increases the risk of unauthorized sharing, improper storage, and privacy-law noncompliance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cloud-render templates explicitly send user-authored TSX source code to a remote service and include a bearer token in the request, but the surrounding documentation does not clearly warn users that their code and prompts leave the local machine. In a skill context, this is a real transparency and data-handling issue because users may paste sensitive content into templates without realizing it is transmitted to a third-party API.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The local-mode examples access process.env.VARG_API_KEY directly without any user-facing credential-handling guidance. While this is common in sample code, it still creates a real risk that users will hardcode keys, expose them in shell history, logs, screenshots, or commit them to source control when adapting the template.

External Transmission

Medium
Category
Data Exfiltration
Content
TEMPLATE

# Submit to render service (requires jq)
JOB_ID=$(curl -s -X POST https://render.varg.ai/api/render \
  -H "Authorization: Bearer $VARG_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"code\": $(cat video.tsx | jq -Rs .)}" \
Confidence
95% confidence
Finding
curl -s -X POST https://render.varg.ai/api/render \ -H "Authorization: Bearer $VARG_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Read TSX and escape it for JSON (no jq needed)
CODE=$(sed 's/\\/\\\\/g; s/"/\\"/g; s/$/\\n/' video.tsx | tr -d '\n' | sed 's/\\n$//')

RESPONSE=$(curl -s -X POST https://render.varg.ai/api/render \
  -H "Authorization: Bearer $VARG_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"code\": \"$CODE\"}")
Confidence
95% confidence
Finding
curl -s -X POST https://render.varg.ai/api/render \ -H "Authorization: Bearer $VARG_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
);
TEMPLATE

curl -s -X POST https://render.varg.ai/api/render \
  -H "Authorization: Bearer $VARG_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"code\": $(cat talking-head.tsx | jq -Rs .)}"
Confidence
94% confidence
Finding
curl -s -X POST https://render.varg.ai/api/render \ -H "Authorization: Bearer $VARG_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal