ClawHub

beauty-prompt

Security checks across malware telemetry and agentic risk

Overview

This skill is an interior-design image helper whose web search, image generation, Feishu delivery, saved output files, and optional video handoff are disclosed and fit its stated purpose.

Install only if you are comfortable with design prompts being used for web search, generated images being saved under the workspace output directory, results being sent through Feishu, and image paths being shared with another agent if you agree to video creation. Avoid including private addresses, client-confidential layouts, personal identifiers, or sensitive business details in prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill's declared purpose is image generation for interior/design inspiration, but it later instructs the agent to proactively invoke another agent to create video content. This expands scope and causes an implicit cross-agent action based on a casual affirmative response, which can lead to unintended data sharing of locally stored image paths and unauthorized task execution beyond the user's original request.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The top-level description defines trigger scenarios in very broad terms, including general visual-content and design-related needs, which can overlap with ordinary conversation. Overbroad activation can cause the skill to engage unexpectedly, leading to unnecessary questioning, web searches, file creation, or downstream actions when the user did not intend to invoke this capability.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The 'intent recognition' trigger in the activation logic lacks precise boundaries and negative cases, so the agent may infer activation from ambiguous discussion of home, decor, or style topics. In this skill context, accidental activation is more dangerous because the workflow includes external web queries, prompt transformation, image generation, storage, and later transmission to Feishu or another agent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs the agent to perform web searches, write generated images to a shared/public output directory, and send the image through Feishu, but it provides no user-facing notice or consent mechanism for those data transfers and storage operations. This creates a real privacy and data-handling risk, especially if user prompts, design requirements, or generated assets contain sensitive household, commercial, or personally identifying information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal