ClawHub

Photoshop Automator

Security checks across malware telemetry and agentic risk

Overview

This Photoshop automation skill is not deceptive, but it gives an agent broad local Photoshop scripting power that can modify documents and local files.

Install only if you intentionally want an agent to control Photoshop and run ExtendScript on your machine. Use backed-up PSDs, review any generated scripts before running them, avoid untrusted prompts or sensitive folders, and be careful with export paths because the skill can write files where your user account has access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill description understates the breadth and risk of its capabilities. While it presents itself as Photoshop automation for text updates, filters, and actions, the documented runScript feature enables arbitrary ExtendScript execution with direct filesystem access, and the metadata also declares use of cscript/osascript, expanding execution pathways beyond the narrow stated purpose. This mismatch can mislead users and downstream policy systems into granting trust or permissions without understanding that the skill can execute arbitrary code and modify local files.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill description understates a core dangerous capability: it accepts arbitrary user-supplied ExtendScript and executes it inside Photoshop via COM/AppleScript. That hides a powerful code-execution surface from users and policy systems, increasing the chance that unsafe prompts or unreviewed automations are run without informed consent.

Missing User Warnings

High
Confidence
99% confidence
Finding
The runScript command writes attacker-controlled JSX to a temp file and executes it in Photoshop with no warning, confirmation, sandboxing, or capability restriction. Because Photoshop scripting can manipulate documents, access files, and invoke actions, this creates a broad arbitrary-automation primitive that can be abused for destructive edits, data exfiltration through file writes/exports, or unsafe workflow execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The export command writes to any user-supplied filesystem path without constraints or warning, allowing overwrites of accessible files or writes to sensitive/shared locations. In combination with Photoshop document contents, this can be abused to place files where they should not go or silently exfiltrate generated content to attacker-chosen paths.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal