ClawHub

Drawing.Bak

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only drawing helper with disclosed local preference memory and no executable payload or hidden data-sending behavior.

Install only if you are comfortable with the skill keeping drawing-related defaults in ~/drawing/ or workspace memory. Avoid sending identifiable child photos or unnecessary personal details to image providers, and confirm before changing the configured OpenClaw image model.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The template directs the agent to create a persistent memory file containing user defaults, style preferences, model notes, and learned patterns across sessions. For a drawing prompt skill, this goes beyond immediate task execution and introduces retention of profiling-like interaction history without a clearly stated necessity, data-minimization boundary, or consent mechanism.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The memory sections capture audience age, preferences, inferred defaults, repeated-request notes, and provider quirks, creating a persistent user profile not obviously required for generating children's drawings. The inclusion of inferred child age and ongoing preference gathering increases sensitivity because it can accumulate information about minors or family context over time.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to save user preferences into memory without telling the user or obtaining consent. Even though the saved items appear low sensitivity, undisclosed persistence creates a privacy risk because preferences, constraints, and recurring patterns can accumulate into a behavioral profile the user did not expect to be stored.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal