ClawHub
Back to skill

Security audit

食物糖壳/爆浆切开视频

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid WeryAI dessert-video generator that uses an API key and may upload chosen images, with user confirmation required before generation.

Install only if you intend to use paid WeryAI video generation. Keep WERYAI_API_KEY secret, review the bundled video_gen.js before running it, confirm the full prompt and parameters before each generation, and use local image paths only when you intentionally want that file uploaded to WeryAI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description includes broad trigger phrases like 'Use when you need food ASMR cut' and 'users ask for shell snap, lava pour, jelly wobble,' which are generic enough to cause accidental invocation in loosely related conversations. Unintended activation can expose user-provided image URLs, trigger paid API usage, or prompt the agent to request/handle local files in contexts where the user did not clearly intend to run this external-network skill.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The implicit trigger uses a broad natural-language description of a dessert video request without any explicit activation boundary, making the skill likely to fire on ordinary food-video prompts that merely resemble its domain. This can cause unintended skill invocation, reducing routing integrity and potentially overriding user intent or invoking external generation behavior when the user did not explicitly request this skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.