ClawHub

Sih Ai Photo Editor

Security checks across malware telemetry and agentic risk

Overview

This is a real image-editing skill, but it bundles a live-looking API key and adds persistent quota, usage, and top-up behavior that needs review before users trust it with photos and payments.

Install only if you trust Sih.Ai and api.vwu.ai with uploaded images, prompts, local usage logs, and payment-related identifiers. The publisher should rotate and remove the bundled API key, require explicit consent before uploads and credit deductions, document retention/deletion for ~/.sih_ai data, and add clear restrictions for face swaps, private-person images, minors, sexualized clothing edits, and impersonation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises code-capable behavior including environment access, file read/write, and network use, but declares no permissions. This creates a transparency and governance gap: users and the platform cannot accurately assess what local and remote side effects the skill may perform, including sending data externally or writing files to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is image editing, but the skill also appears to manage persistent user identifiers, local quota/accounting, usage-history logging, top-up flows, and possibly embedded credentials. This mismatch is dangerous because it hides data collection, persistence, billing-related behavior, and secret handling beyond what a user would reasonably expect from an image-editing skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The quick-start guide introduces quota checks, recharge flows, simulated balance additions, and usage-history handling for a skill described as an image-editing tool, but these account/payment behaviors are not disclosed in the manifest description. This creates a material transparency gap: users may invoke the skill expecting simple image processing while the skill also manages credits and payment-related state, which can affect trust, consent, and billing expectations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation states that persistent local user data and usage history are stored under ~/.sih_ai/, but the skill description does not disclose this retention behavior. Undisclosed persistent storage is risky because it may surprise users, expose local privacy-sensitive metadata, and complicate informed consent and data lifecycle expectations.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
A recharge/top-up flow with user-linked payment URLs extends beyond the manifest’s stated purpose of photo editing and is not clearly justified in the skill description. This increases risk because users may be redirected into account/payment handling they did not expect, creating potential for deceptive monetization or phishing-like confusion even if the implementation is legitimate.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The publishing document advertises user registration, quota deduction, usage history, and top-up flows that materially exceed the manifest's stated image-editing purpose. This mismatch can hide monetization and user-tracking behaviors from reviewers and users, undermining informed consent and making it easier to deploy undeclared data handling or payment logic.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file inventory lists local quota management, auto-registration, credit deduction, recharge, and history components that are unrelated to a narrowly described photo-editing skill. Hidden operational components increase the risk of undisclosed billing, persistent user profiling, or policy evasion because reviewers may approve the skill based on an incomplete understanding of its behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The prompt library explicitly encourages face-swapping to celebrities and private individuals such as 'my mother' or a person from another uploaded photo, without any mention of consent, authorization, or abuse prevention. In an image-editing skill, this materially increases the risk of impersonation, non-consensual deepfakes, harassment, and deceptive content generation, especially because the examples normalize identity manipulation as a standard use case.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The example embeds what appears to be a real Bearer token rather than a redacted placeholder. Publishing live credentials in documentation can enable unauthorized use of the third-party API, quota theft, billing abuse, and potentially access to any data/actions scoped to that key.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This file implements quota, account-like state, top-up, and billing-related behavior that goes beyond the declared image-editing purpose of the skill. Expanding scope in this way increases the trust surface and can enable undisclosed collection, monetization, or gating behavior that users and reviewers would not expect from a photo-editing tool.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill persists a unique user ID and usage history under the user's home directory, including prompt-derived activity, without any clear necessity tied to basic image editing. Persistent identifiers plus retained prompts create a privacy risk because they allow long-term profiling of a user's editing behavior and potentially sensitive requests.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Generating recharge URLs introduces payment/account workflow into a skill advertised as an image-editing utility. Even though this code only constructs a URL, it still extends the skill into billing-related behavior and can steer users into an undeclared monetization flow tied to a persistent identifier.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill is for image editing, but it also includes an account/credit lookup function that is outside the stated purpose. This expands the capability surface and, because it reuses the same Authorization header, can expose credentials or account metadata to an unrelated service path/domain if invoked.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The docstring says the method retrieves Sih.Ai credits, but the code actually sends the bearer token to a hardcoded different endpoint, https://api.vwu.ai/v1/user/credits. That mismatch is dangerous because it can leak the user's API credential to an unrelated external service under misleading documentation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The changelog explicitly advertises automatic download to a Desktop folder and automatic opening in Finder and Preview, but provides no indication of user consent, confirmation, or controls over these side effects. In a skill that processes user-supplied images, silently writing files and launching local applications can create privacy, UX, and security risks, especially if sensitive images are handled or repeated actions are triggered unexpectedly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly describes automatic user registration, generation of a persistent user identifier, API-based image processing, and a payment flow tied to that identifier, but provides no notice about what data is collected, how images and IDs are handled, or where the data is sent. In a photo-editing skill that processes potentially sensitive personal images, this omission increases privacy risk and can lead to unexpected collection, retention, and linkage of user activity to identifiable accounts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Embedding `user_id` directly in top-up URLs can expose identifiers through browser history, logs, referrer headers, screenshots, support tickets, and third-party analytics. Even if the identifier is pseudonymous, it can still enable account linkage or unauthorized balance/payment actions if the top-up flow trusts the URL parameter too much.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The publish document describes the skill in broad, capability-centric terms without clear activation boundaries, increasing the chance the agent invokes it for loosely related image requests. Because the skill includes sensitive operations like face swapping and clothing changes, overbroad triggering can cause unintended processing of personal images and unsafe content generation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The call-to-action encourages users to 'say what you want edited' in free-form language, which makes activation ambiguous and can cause accidental invocation from casual conversation. In a skill that edits faces, bodies, and clothing, ambiguous activation raises the risk of unsafe or privacy-invasive operations being initiated without sufficient user confirmation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The document states that images are sent to an external API but does not warn users that uploaded photos may contain sensitive biometric and personal data. This is especially dangerous because portrait editing, background replacement, and beautification commonly involve private user images, and users may not realize their data is leaving the local platform.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises face swapping and face fusion without any warning about consent, impersonation, deepfake misuse, or biometric privacy. In context, this omission is serious because face manipulation features can be used for harassment, fraud, sexualized edits, or deceptive identity content if guardrails are not clearly communicated.

Missing User Warnings

High
Confidence
99% confidence
Finding
The quick-start guide hardcodes a live-looking API key directly in documentation, which is a direct secret exposure. Anyone with access to the skill package can reuse the credential to call the backend service, consume quota, incur cost, or access linked account functionality, making this substantially more dangerous in a networked image-editing skill that depends on external APIs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes face-swapping and portrait editing but provides no guidance about consent, privacy, impersonation risk, or handling of third-party images. In an image-manipulation skill, especially one enabling face replacement, this omission materially increases the likelihood of misuse for non-consensual edits, deception, or privacy violations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user-provided images to an external API but does not prominently warn users that uploaded images may leave the local environment. Because this skill handles sensitive personal photos and face-editing workflows, lack of disclosure materially increases privacy and consent risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description advertises very broad activation criteria for many kinds of image-editing requests without defining boundaries, exclusions, or consent-sensitive cases such as face swapping, sexualized edits, or edits involving third-party photos. In an agent ecosystem, this can cause over-invocation on ambiguous user requests and increase the chance of unsafe or policy-violating image manipulation workflows being triggered without sufficient checks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal