ClawHub

Hidden Truth Reveal Video Gen

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WeryAI video-generation helper that needs a paid API key and sends approved prompts or public image URLs to WeryAI.

Install only if you intend to use WeryAI for paid video generation. Use a revocable or quota-limited WERYAI_API_KEY where possible, review the full prompt before confirming, and do not include confidential, personal, unreleased, or proprietary media or prompts unless you are comfortable sending them to WeryAI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill is presented as a narrowly scoped 'hidden truth reveal' generator, but the documented behavior includes broader capabilities such as generic text/image video generation, model discovery, arbitrary task status checks, and dry-run request printing. This mismatch weakens user consent and review because operators may invoke a more general remote-job client than the description suggests, increasing the chance of unintended data disclosure or misuse of paid API operations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger tests use broad phrases like 'where everyday goods come from,' 'brutal contrast edit,' and 'supply chain shock' without clear boundaries, making the skill likely to activate on loosely related prompts. This can cause unintended invocation, expanding the skill's operational scope and increasing the chance of generating sensationalized or harmful content outside the intended use case.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly directs users to send prompts and public image URLs to third-party WeryAI API hosts, but it does not warn that user-supplied content will leave the local environment and be disclosed to an external service. In a skill that may process supply-chain narratives, product imagery, or user-provided media, this can cause unintended sharing of sensitive or proprietary data and weakens informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal