ClawHub

Deepfake Check

Security checks across malware telemetry and agentic risk

Overview

This is a coherent deepfake-checking skill, with the main caveat that it stores a Scam.ai key locally and sends selected media to Scam.ai for analysis.

Install only if you are comfortable sending chosen images or videos to Scam.ai and storing a Scam.ai API key on this machine. Prefer a DeepFake Detection-specific key over a Universal key, and delete or rotate the key if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly tells the assistant to have the user paste an API key into chat and then store it in a local file for future reuse, but it does not clearly warn the user that the credential will be persisted on disk. Persisting secrets without informed consent increases the chance of unintended disclosure through local compromise, backups, logs, or multi-user environments.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs uploading user-supplied images and videos to an external Scam.ai API without a clear privacy notice that the media will leave the device. Because these files may contain sensitive biometric or personal content, silent third-party transmission creates privacy and compliance risk even if the API is legitimate.

Ssd 3

Medium
Confidence
99% confidence
Finding
The instructions direct the assistant to solicit an API key in chat and persist it locally, which is an unsafe credential-handling pattern. Secrets pasted into chat may be retained in conversation history, and local file storage broadens the attack surface for credential theft or reuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal