ClawHub

Virlo Short-Form Video Training Data

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Virlo API documentation skill that uses a user-provided API key to make disclosed requests to Virlo's external service.

Install this only if you intend to let your agent contact Virlo with your VIRLO_API_KEY. Treat keywords, competitor lists, campaign names, and monitoring targets as data sent to Virlo, protect the API key, and require confirmation before creating searches, scheduled monitors, updates, or deletes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to send authenticated requests containing their queries and potentially sensitive business-intelligence inputs to an external third-party API, but it does not clearly disclose that prompts, keywords, and monitoring targets leave the local environment. This is a real transparency and privacy risk because users may submit proprietary research terms, competitor lists, or campaign data without realizing they are transmitted off-platform.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# GET request
curl -s -X GET "https://api.virlo.ai<endpoint>" \
  -H "Authorization: Bearer ${VIRLO_API_KEY}" \
  -H "Content-Type: application/json"
Confidence
95% confidence
Finding
curl -s -X GET "https://api.virlo.ai<endpoint>" \ -H "Authorization: Bearer ${VIRLO_API_KEY}" \ -H "Content-Type: application/json" # POST request with JSON body curl -s -X POST "https://api.virl

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal