ClawHub

(Google) Veo 3 Video Gen

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Pixwith video-generation helper, but users should understand that prompts and reference images are sent to Pixwith and upload storage providers.

Install only if you trust Pixwith with your API key, prompts, and any reference images you provide. Avoid confidential images or sensitive text, consider disabling prompt optimization when exact wording matters, and confirm the credit tier before creating videos.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill states that `options.prompt_optimization` defaults to `true`, which causes user prompts to be automatically translated/rewritten by the external provider without explicit user opt-in. This can expose user-supplied text to additional processing beyond what the user may expect, and may transform sensitive or policy-relevant wording before transmission.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 2: Create task

```bash
curl -s -X POST https://api.pixwith.ai/api/task/create \
  -H "Content-Type: application/json" \
  -H "Api-Key: $PIXWITH_API_KEY" \
  -d '{
Confidence
83% confidence
Finding
https://api.pixwith.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**1a. Get a presigned upload URL:**

```bash
curl -s -X POST https://api.pixwith.ai/api/task/pre_url \
  -H "Content-Type: application/json" \
  -H "Api-Key: $PIXWITH_API_KEY" \
  -d '{"image_name": "frame.jpg", "content_type": "image/jpeg"}'
Confidence
88% confidence
Finding
https://api.pixwith.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 3: Create task with images

```bash
curl -s -X POST https://api.pixwith.ai/api/task/create \
  -H "Content-Type: application/json" \
  -H "Api-Key: $PIXWITH_API_KEY" \
  -d '{
Confidence
84% confidence
Finding
https://api.pixwith.ai/

Indirect Prompt Extraction

Medium
Category
System Prompt Leakage
Content
- **image_urls** (optional): 1–2 publicly accessible image URLs.
  - 1 image → used as the start frame.
  - 2 images → first is the start frame, second is the end frame.
- **options.prompt_optimization** (boolean, default `true`): Auto-translate prompt to English.
- **options.aspect_ratio** (required): `16:9` or `9:16`.

## Workflow A — Text-to-Video
Confidence
86% confidence
Finding
translate prompt

Indirect Prompt Extraction

Medium
Category
System Prompt Leakage
Content
- **image_urls** (optional): 1–2 publicly accessible image URLs.
  - 1 image → used as the start frame.
  - 2 images → first is the start frame, second is the end frame.
- **options.prompt_optimization** (boolean, default `true`): Auto-translate prompt to English.
- **options.aspect_ratio** (required): `16:9` or `9:16`.

## Workflow A — Text-to-Video
Confidence
86% confidence
Finding
translate prompt to English

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal