ClawHub

If you vanished today (quiet home → feed moves on)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WeryAI video-generation skill with expected API-key and network use, though users should avoid sending sensitive prompts or private image URLs.

Install only if you intend to use WeryAI and are comfortable providing a paid WeryAI API key. Review the expanded prompt before generation, avoid private images or sensitive personal details unless you intend to send them to WeryAI, and do not use this skill for crisis, self-harm, or mental-health-support requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The public description presents a narrowly scoped melancholy 'if you vanished' template, but the body exposes a substantially more general video-generation interface including image-to-video, multi-image generation, model selection, polling, and optional generation controls. That mismatch can cause users or orchestrators to invoke the skill in contexts they did not intend, weakening policy enforcement and enabling broader content generation than advertised.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The invocation guidance is broad enough to trigger on common emotional or loneliness-themed requests, including sensitive 'if I vanished' phrasing that can overlap with crisis or self-harm-adjacent contexts. In a safety-sensitive assistant ecosystem, overly broad routing can surface this skill to vulnerable users even though the skill is framed as creative only.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation directs users to send prompts and public image URLs to third-party WeryAI API hosts, but it does not explicitly warn that user-provided content will leave the local environment and be disclosed to an external service. In a creative/video-generation skill, prompts may contain sensitive personal context or private imagery references, so the absence of a disclosure notice creates a real privacy and consent risk.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The file documents a required API key but does not clearly warn that the credential will be used for authenticated outbound requests to a third-party service. While this is common for API integrations, failing to state it plainly can mislead operators about external data flow and trust boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal