Back to skill

Security audit

Invoke ARTCLAW platform's AI content creation capabilities via REST API. Supports AI image generation, video generation, workflow execution, multimodal analysis, and more.

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its ARTCLAW creative purpose, but it includes a self-update command that can overwrite the installed skill from an unpinned GitHub branch without integrity verification.

Install only if you trust ARTCLAW and the GitHub repository behind this skill. Avoid using the self-update command unless you have reviewed the upstream changes yourself, and treat ARTCLAW prompts/media plus Feishu or Telegram deliveries as external data sharing. Store API keys carefully, review ~/.artclaw history if prompts or generated assets are sensitive, and confirm before sending generated media to chat channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exercises sensitive capabilities including shell, network, file read/write, and environment access, but does not declare an explicit permissions model. That mismatch increases the chance that an agent or user invokes the skill without understanding its actual reach, especially since it can read credentials, write persistent state, and contact external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is creative generation and analysis, but the skill also includes repository self-update, persistent local storage, and message delivery through Feishu, Telegram, and Discord using external credentials. Those extra behaviors materially expand trust boundaries and attack surface beyond what a user would reasonably infer from the description, enabling code changes and third-party message transmission.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A self-update mechanism that downloads a ZIP from GitHub and applies file changes is outside the skill's core creative purpose and creates a software supply chain risk. If the source repository, transport, or release process is compromised, the skill can be silently modified to execute attacker-controlled logic on future runs.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest presents the skill as an ARTCLAW creative-suite/API client, but it also bundles Feishu and Telegram media-sending scripts that extend the trust boundary to unrelated third-party messaging platforms. This creates hidden capability for exfiltration or onward transmission of generated/analyzed media and credentials beyond the user’s expected ARTCLAW interactions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The Feishu media-sending script is not justified by the stated purpose of an ARTCLAW REST API client and introduces an undeclared outbound channel for user content. In a creative-generation skill, generated images/videos may contain sensitive or proprietary material, so undisclosed transmission to Feishu increases data leakage risk.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The Telegram media-sending script similarly adds an unrelated third-party delivery capability that is outside the expected scope of an ARTCLAW generation/analysis client. Telegram delivery can expose user-generated or analyzed media to external chats, bots, and platform retention/logging behaviors not disclosed by the skill description.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script declares built-in self-update URLs and later uses them to download and overwrite the local repository, giving the skill a self-modification capability unrelated to its stated creative API-client purpose. In an agent environment, this materially increases risk because invoking the skill can alter local code on disk and introduce new behavior outside the reviewed version.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This self-update implementation downloads a ZIP archive from GitHub and overwrites files under the repository root without cryptographic verification or strict scope limitations. That creates a supply-chain and integrity risk: compromise of the upstream repo, network path, or mistaken invocation could replace trusted local code with malicious or unsafe content.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file adds broad Feishu messaging capability to a skill described as an ARTCLAW creative-generation suite. In this context, that scope mismatch is dangerous because it gives the skill an unrelated outbound communications channel that can transmit generated or local media to external recipients, which materially increases exfiltration and abuse potential beyond the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script reads Feishu app credentials from ~/.openclaw/openclaw.json, a local configuration source unrelated to the advertised ARTCLAW generation capability. In skill context, accessing unrelated messaging credentials is risky because it silently expands trust boundaries and enables authenticated outbound actions using secrets the user may not expect this skill to consume.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code can fetch arbitrary remote media URLs for cover/image/video handling, which exceeds a narrow ARTCLAW CLI generation role and effectively turns the skill into a general-purpose network retriever and forwarder. In this context, that increases SSRF-like abuse surface, allows contacting attacker-controlled infrastructure, and can be used to relay arbitrary content outward.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
This script adds Telegram bot message delivery capability that is not described by the ARTCLAW creative-suite manifest. Hidden or unjustified outbound-communication features increase supply-chain risk because they can be used to transmit generated content or operational data to third-party destinations outside the expected skill scope.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The code implements outbound Telegram bot messaging, including optional retrieval of a remote thumbnail URL and upload of local video content to Telegram. In a skill whose stated scope is ARTCLAW generation and analysis, this creates an unexpected exfiltration/output channel that could be abused to send files to external chats or channels without matching the advertised functionality.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example trigger phrase shown to users is broad and conversational, which increases the chance that normal chat requests will unintentionally invoke this skill. Because the skill can initiate external AI generation and workflow actions, accidental activation could lead to unintended API usage, unexpected external requests, or user confusion about why a creative generation tool was selected.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Broad trigger keywords such as 'logo', 'cover', or 'workflow' can cause the skill to activate in contexts where the user did not intend to invoke it. Unintended invocation is particularly risky here because the skill can make network requests, consume paid credits, and access local files or credentials through follow-on actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill encourages sending local files, URLs, and media to external generation and analysis services without an explicit privacy or data-handling warning. Users may unknowingly transmit sensitive images, videos, or internal documents to a third-party API, creating confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The manifest advertises remote generation, analysis, workflow execution, and packaged media-sending features, but it does not warn users that prompts, images, videos, and related metadata may be transmitted to external services. This is a security and privacy issue because users may reasonably assume local processing or may not realize their content is being shared with ARTCLAW, Feishu, or Telegram.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The manifest documents use of a Telegram bot token but does not pair that requirement with guidance on secret handling, least privilege, storage, or the fact that use of the token enables outbound communication to a third-party service. While this is more of a security hygiene issue than an exploit by itself, poor secret handling can lead to account abuse or unauthorized messaging.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists job records under ~/.artclaw, including job IDs, status, timestamps, subcommands, and potentially later full final results, without any user-facing warning or consent flow. In this skill's context, prompts and generated-result metadata may contain sensitive creative briefs, proprietary workflows, or user data that remain on disk longer than expected.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The self-update command modifies local repository files from downloaded remote content without an explicit safety warning that local code will be overwritten. Even if intended, this can surprise users or agents and lead to unauthorized local changes, persistence, or operational breakage.

Self-Modification

High
Category
Rogue Agent
Content
## Self Update

```bash
python3 scripts/artclaw.py self-update
```

Preview without writing files:
Confidence
98% confidence
Finding
self-update

Self-Modification

High
Category
Rogue Agent
Content
Preview without writing files:

```bash
python3 scripts/artclaw.py self-update --dry-run
```

Downloads `https://github.com/ArtClaw1/artclaw-skill/archive/refs/heads/main.zip`, atomically applies added or modified files, and reports a JSON summary. Does not delete local-only files.
Confidence
97% confidence
Finding
self-update

Session Persistence

Medium
Category
Rogue Agent
Content
Setup:

1. Open https://artclaw.com/settings.
2. Create an API key in the API Keys section.
3. Copy the generated key. It is prefixed with `vk_` and is shown only once.
4. Configure locally:
Confidence
80% confidence
Finding
Create an API key in the API Keys section. 3. Copy the generated key. It is prefixed with `vk_` and is shown only once. 4. Configure locally: ```bash python3 scripts/artclaw.py config-init --api-key

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.