ClawHub

Hooked

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using Hooked's video-generation API, with expected external API calls and no hidden install-time or local execution behavior.

Install this only if you trust Hooked with the content you ask the agent to turn into videos. Avoid sending secrets, confidential business data, regulated personal data, or private media unless you intend to share it with Hooked. Keep the API key in an environment variable or secret store, confirm before actions that spend credits, and use webhooks only with endpoints you control or trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This markdown skill describes sending scripts, prompts, product URLs, and other content to the Hooked Video API, and later documents webhook callbacks, but it does not include any user-facing warning about privacy or third-party data handling. For markdown files, SQP-2 applies when the description omits warnings about behaviors that could affect user data or privacy.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. List avatars to find a good fit
curl -X GET "https://api.hooked.so/v1/avatar/list" \
  -H "x-api-key: $HOOKED_API_KEY"

# 2. Create a video
Confidence
60% confidence
Finding
curl -X GET "https://api.hooked.so/v1/avatar/list" \ -H "x-api-key: $HOOKED_API_KEY" # 2. Create a video curl -X POST "https://api.hooked.so/v1/project/create/script-to-video" \ -H "x-api-key: $H

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. List avatars to find a good fit
curl -X GET "https://api.hooked.so/v1/avatar/list" \
  -H "x-api-key: $HOOKED_API_KEY"

# 2. Create a video
Confidence
50% confidence
Finding
https://api.hooked.so/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "x-api-key: $HOOKED_API_KEY"

# 2. Create a video
curl -X POST "https://api.hooked.so/v1/project/create/script-to-video" \
  -H "x-api-key: $HOOKED_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
50% confidence
Finding
https://api.hooked.so/

External Transmission

Medium
Category
Data Exfiltration
Content
}'

# 3. Check status (poll until completed)
curl -X GET "https://api.hooked.so/v1/video/vid_abc123" \
  -H "x-api-key: $HOOKED_API_KEY"

# 4. Download when ready
Confidence
50% confidence
Finding
https://api.hooked.so/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal