ClawHub

Holy ceremony & celebration style transform (Seedance 2.0)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WeryAI video-generation skill that uses an API key and sends prompts or public image URLs to WeryAI, with no evidence of hidden persistence, credential theft, or destructive behavior.

Install only if you are comfortable using a paid WeryAI API key and sending prompts or public image URLs to WeryAI. Use a revocable or quota-limited key where possible, review the confirmation table to ensure the model is SEEDANCE_2_0, and avoid sensitive personal data or private media URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill claims it is locked to SEEDANCE_2_0 and a narrowly defined sacred-celebration use case, but the referenced behavior indicates the underlying script can enumerate models, accept arbitrary model values, and generate broader content than advertised. This mismatch is dangerous because users and orchestrators may trust the documented restrictions, while the actual implementation can trigger unintended paid API actions, broader content generation, or use of less-reviewed model paths and endpoints.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The implicit-domain trigger prompt is broad enough to match generic celebratory language such as 'golden,' 'celebration,' and 'confetti blessing' without explicitly invoking this specific skill. That can cause unintended activation in ordinary user requests, reducing trigger precision and potentially routing unrelated content into this transformation skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to send prompts and public image URLs to third-party WeryAI endpoints using an API key, but it does not warn that user content, metadata, and externally hosted media will be transmitted off-platform. In a media-generation skill, users may supply sensitive or copyrighted images, so the lack of an explicit privacy and data-transmission notice can lead to unintended disclosure and compliance issues.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal