ClawHub

Veo Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documented Monet video-generation API helper, but prompts and uploaded images are sent to Monet’s hosted service.

Install only if you are comfortable sending prompts, reference images, uploaded files, and generated outputs to monet.vision. Do not use it with secrets, private customer data, regulated content, or confidential media unless Monet’s data handling terms are approved for that use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to upload reference images and then use the returned URL in subsequent API calls, but it does not warn that user-supplied images and prompts are being transmitted to a third-party service. In an agent-skill context, this can cause inadvertent exfiltration of sensitive or proprietary content because users or downstream agents may assume the operation is local or privacy-preserving.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to upload local files to a third-party service but does not clearly warn that image contents and related metadata will leave the local environment and be stored remotely. In an agent context, this can cause unintentional exfiltration of sensitive user files or regulated data if the agent is allowed to act on broad prompts.

External Transmission

Medium
Category
Data Exfiltration
Content
### Example 1: Basic Video Generation

```typescript
const response = await fetch('https://monet.vision/api/v1/tasks/async', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
Confidence
88% confidence
Finding
fetch('https://monet.vision/api/v1/tasks/async', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
const formData = new FormData();
formData.append('file', imageFile);

const uploadResponse = await fetch('https://monet.vision/api/v1/files', {
  method: 'POST',
  headers: {
    Authorization: `Bearer ${process.env.MONET_API_KEY}`,
Confidence
97% confidence
Finding
fetch('https://monet.vision/api/v1/files', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
const imageUrl = fileData.url;

// Then create video task with reference image
const response = await fetch('https://monet.vision/api/v1/tasks/async', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
Confidence
90% confidence
Finding
fetch('https://monet.vision/api/v1/tasks/async', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
### Example 3: Fast Mode for Quick Iteration

```typescript
const response = await fetch('https://monet.vision/api/v1/tasks/async', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
Confidence
86% confidence
Finding
fetch('https://monet.vision/api/v1/tasks/async', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
### Your First Video Generation Task

```bash
curl -X POST https://monet.vision/api/v1/tasks/async \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $MONET_API_KEY" \
  -d '{
Confidence
87% confidence
Finding
curl -X POST https://monet.vision/api/v1/tasks/async \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $MONET_API_KEY" \ -d '{ "type": "video", "input": { "model":

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal