ClawHub

Grok Imagine

Security checks across malware telemetry and agentic risk

Overview

This is a coherent xAI image and video generation skill with expected cautions around API use, costs, output files, and the documented plaintext key fallback.

Install only if you are comfortable using an xAI API key, paying xAI usage charges, and sending prompts or image references to xAI. Prefer XAI_API_KEY over ~/keys.txt, avoid sensitive prompts or private media unless intended, and save outputs in a dedicated folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation indicates use of environment variables, filesystem access, and outbound network access, but no explicit permissions are declared for those capabilities. This weakens least-privilege controls and can cause the host to grant broader access than users expect, especially since the skill can read local images, write output media, and use an API key to contact an external service.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list contains broad everyday phrases such as 'draw' and 'animate' that may cause the skill to activate in contexts where the user did not intend to invoke an external image/video generation tool. Unintended invocation matters here because the skill can send prompts and possibly local image content to a third-party API and incur cost.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation does not clearly warn that user prompts and any provided source images are transmitted to xAI's external API for processing. In this skill's context, that omission is significant because image editing and image-to-video modes may upload local user files, creating privacy, compliance, and data-handling risks if users assume processing is local.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The credential section recommends fallback storage in '~/keys.txt' and config fields without warning that plaintext key storage can expose the API key to other local users, backups, logs, or accidental commits. While this is not remote code execution, stolen API keys can enable unauthorized API usage and billing abuse.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal