ClawHub

grok_image_generate

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Grok image-generation workflow, but users should confirm the browser account, saved file, and Feishu destination before sending anything.

Install only if you want an agent to open Grok Imagine in your browser profile, control the desktop to save images, and optionally send selected local image files to Feishu. Replace the example file paths, keep unrelated sensitive windows closed during desktop automation, and confirm the recipient/channel before any send.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are very broad and overlap with ordinary user requests such as '生成一张图片' or '帮我画个图', making accidental invocation likely. In this skill, mis-triggering is more dangerous because the workflow opens an external website, performs browser automation, and can proceed to save and send generated files, so an unintended match could cause unplanned external actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send image files to Feishu using a local file path, but it does not clearly warn that this uploads a local file to an external messaging platform. In context, this is more dangerous because the workflow explicitly handles files from local directories such as Downloads and workspace images, creating a real risk of unintended data exfiltration if the wrong file is selected or if the send step is triggered without informed user consent.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal