ClawHub

Life Hack Video

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WeryAI video-generation helper that uses a named API key and fixed network endpoints, with no evidence of hidden or destructive behavior.

Install only if you trust WeryAI with the prompts and public image URLs you submit and are comfortable with paid API usage through WERYAI_API_KEY. Use a revocable, scoped key where possible, review the confirmation table before approving generation, and avoid sending secrets or sensitive personal data in prompts or image URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly requires environment secret access and outbound network access to a paid third-party API, but those capabilities are not explicitly declared as permissions beyond informal metadata. This can mislead reviewers and users about what the skill actually does, reducing informed consent and making secret exposure or unintended external requests easier to overlook.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The manifest description is broad enough to trigger on ordinary user requests about life hacks, demos, or short videos, increasing the chance the skill is invoked unintentionally. Because the skill performs networked, paid API operations using a secret, over-broad matching can lead to unnecessary data disclosure to a third party and unintended spending.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The implicit trigger prompt is broad natural-language content that describes a common user request for a short vertical cleaning/life-hack clip, so it may activate the skill even when the user did not explicitly intend to invoke it. This can cause over-triggering, routing ordinary requests into this skill unexpectedly, increasing the chance of incorrect tool use or unintended content generation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal