ClawHub

Feed Designs You Video Gen

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent WeryAI video-generation helper, with disclosed API-key and network use and no evidence of hidden local access or persistence.

Install only if you are comfortable sending prompts, generation parameters, and any supplied public image URLs to WeryAI using your API key. Avoid private screenshots or sensitive imagery unless you intentionally approve that external processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a narrowly scoped generator for a specific rhetorical five-beat vertical short, but the underlying behavior appears to support broader generic video-generation operations, task inspection, model enumeration, and dry-run API request construction. That mismatch is dangerous because users and higher-level policy systems may grant trust or invoke the skill under false assumptions, enabling broader external API actions than the description suggests.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger tests rely on broad paraphrases like references to scrolling phones, recommendations, and doomscroll critique without tighter boundaries, so the skill may activate on loosely related user requests. In an agent environment, overly ambiguous activation increases the chance of unintended prompt expansion or tool invocation for requests that only tangentially match the domain, which can cause misrouting and unsafe automation behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal