ClawHub

Fal.ai API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward fal.ai API helper that uses a fal.ai key to send user-provided prompts or media URLs to fal.ai for generation or transcription.

Install only if you are comfortable giving the skill a fal.ai API key and sending prompts, image URLs, audio URLs, and generation parameters to fal.ai. Use a dedicated or revocable key where possible, monitor credit usage, and avoid submitting secrets, personal data, or regulated content unless fal.ai processing is acceptable for your use case.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill metadata declares only an environment requirement, but the documented behavior clearly implies network access to fal.ai and the ability to invoke local shell commands such as `python3 fal_api.py --list-models`. When a skill's effective capabilities are broader than its declared permissions, users and hosting systems cannot accurately evaluate data exposure or sandboxing needs, which increases the chance of unintended external transmission or unsafe execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill sends user prompts and potentially user-provided media to fal.ai, but the description and usage guidance do not prominently warn users that their content leaves the local environment and is processed by a third-party API. That omission can lead users to submit sensitive text, images, audio, or regulated data without informed consent, creating privacy, compliance, and confidentiality risk.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal