ClawHub

Cyberpunk Transform Video Gen Seedance2.0

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WeryAI video-generation helper that uses an API key and paid network calls for its stated cyberpunk video workflow.

Install only if you trust this publisher with a WeryAI API key and paid generation authority. Review the confirmation table before each run, keep the model as SEEDANCE_2_0, and avoid sending secrets, private URLs, personal data, or proprietary media in prompts or image links unless you are authorized to share them with WeryAI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill claims to be tightly scoped to cyberpunk transformations using SEEDANCE_2_0, but the referenced behavior indicates the underlying tooling can perform broader arbitrary video generation, task polling, and model lookup without enforcing those constraints. That mismatch is dangerous because users, reviewers, and policy gates may trust the narrower declared purpose while the actual execution path can be repurposed for broader or disallowed generation workflows.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The implicit trigger prompt is overly broad, so the skill may activate on generic requests about neon, cyberpunk, vertical video, or HUD aesthetics even when the user did not explicitly intend to invoke this specific skill. In an agent setting, broad activation criteria can cause unintended tool execution, prompt hijacking of adjacent requests, or inappropriate routing that bypasses safer or more relevant skills.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly directs users to send prompts and public image URLs to third-party WeryAI endpoints, but it does not warn that this content leaves the local environment and may contain sensitive text, proprietary media, or personal data. In an agent skill context, that omission increases the chance that users or downstream agents transmit confidential material without informed consent.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal