ClawHub

ai.fun.tv 文生图

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent ai.fun.tv image-generation helper, but users should understand that it sends prompts to ai.fun.tv and can save a reusable local token.

Install this only if you intend to use ai.fun.tv for image generation. Your prompts and generation requests will be sent to ai.fun.tv, and if you provide a token it may be saved locally as authorization.txt for future reuse; use the environment variable or the script's no-save option if you prefer not to persist it, and delete or rotate the token if the machine or workspace is shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to read environment variables, read and write local files, make network requests, and invoke shell commands, yet no explicit permission declaration or guardrails are present. This creates a capability/expectation mismatch that can lead to unintended execution with broader access than users realize, especially when handling credentials and downloads.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation text uses broad triggers such as image generation, posters, cover images, and prompt words that may match many ordinary user requests. Over-broad activation can cause the skill to run in contexts the user did not intend, increasing the chance of unsolicited network access, token handling, and file writes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs persistent storage of a user authentication token in a local file for later reuse but does not require an explicit user-facing warning about the security and privacy risks of storing reusable credentials. Even with restrictive file permissions, local persistence increases exposure through accidental inclusion in backups, workspace sharing, or later unrelated skill access.

Ssd 3

Medium
Confidence
97% confidence
Finding
Persisting a user-provided authentication token locally for reuse across future tasks creates a reusable secret that can be stolen or misused by other processes, tools, or later agent actions. Because the token authorizes external API calls, compromise could let an attacker perform actions as the user, consume quota, or access generated content without re-consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal