ClawHub

On This Day Art

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for local ComfyUI image automation, but it under-discloses network posting, scheduled behavior, and local retention risks.

Install only if you intend to run this Windows/WSL ComfyUI automation and understand that it can contact Wikipedia, expose or use a network ComfyUI API, retain prompt/event history locally, and may be configured to post generated output to Discord. Before use, bind or firewall ComfyUI, verify the Discord channel and bot permissions, and keep any scheduled posting disabled until explicitly configured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documents shell-executable workflows and scripts but does not declare permissions, which undermines informed consent and makes it easier for an agent or user to invoke local commands without clear authorization boundaries. In this context, the shell access can launch local services, interact with network endpoints, and run automation, so the mismatch is a real security issue even if the apparent goal is legitimate image generation.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The README materially misrepresents the skill's network behavior by claiming it runs entirely locally and does not send data to external servers, even though earlier sections explicitly describe fetching events from Wikipedia and posting generated images to Discord. This kind of inaccurate security documentation can cause users to enable or deploy the skill under false assumptions about privacy, egress, and data handling.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The security documentation specifically states that the skill does not send data to external servers, but the documented workflow sends requests to Wikipedia and posts generated content to Discord. False assurances in a security section are especially risky because operators often rely on that section for trust and deployment decisions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest says the skill does not handle SD 3.5, but later sections provide setup and recommended-use guidance for SD 3.5. This inconsistency can mislead users and downstream tooling about what the skill supports, weakening trust and potentially causing unsafe or unintended execution paths on resource-constrained systems.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The contradiction between 'Does NOT handle SD 3.5' and later instructions to install and use SD 3.5 is a real integrity problem in the skill specification. While not an exploit primitive by itself, it can cause agents or operators to rely on inaccurate constraints, which increases the chance of unsafe automation, crashes, or unsupported behavior.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The setup guide states that the workflow automatically posts generated output to a Discord channel, which contradicts the skill metadata claiming local-only image generation and no cloud/API behavior. This creates an undisclosed outbound communication path and scope expansion that can expose generated content, metadata, or future prompt-derived data to an external service without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Introducing Discord posting is not necessary for the stated purpose of local historical image generation and represents capability creep beyond the advertised function. Even if intended as convenience automation, hidden or underdocumented external posting increases the risk of unauthorized disclosure and weakens user trust in the skill's boundaries.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The script persistently stores run history, including event text, inferred location, prompt, image path, and timestamp, in a workspace memory file unrelated to the minimum function of generating an image. Persistent logging increases data retention risk and can expose user activity patterns or sensitive prompts if the workspace is later accessed by another tool or user.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes Discord automation, but the overview does not prominently warn that the system automatically posts generated images on a schedule. Users may install or run the skill without realizing it performs unattended external posting, which increases the risk of unintended disclosure or surprise outbound activity.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger language is broad enough that the skill could activate for generic requests about AI image generation or historical art, even when the user did not intend to authorize local shell-based workflows or automation. In this skill, overly broad activation is more dangerous because the documented behavior includes local process control, model setup, network bridging, and recurring jobs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill includes daily automated generation and Discord posting behavior, but the top-level description does not clearly warn users that it may schedule recurring actions and transmit content to an external service. That omission can lead to unexpected outbound sharing and persistence of automation beyond the user's immediate request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatic posting to Discord without an explicit warning about ongoing network transmission is a real security and privacy issue because users may assume all processing and outputs remain local. Scheduled background transmission can leak generated images, dates, locations, prompts, or associated metadata to a third-party platform on a recurring basis without sufficient transparency.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
User prompts are sent over plain HTTP to `192.168.4.95:8188`, so anyone with access to the local network segment could potentially observe or tamper with prompt contents and server responses. This is especially relevant because prompts may contain sensitive user-provided content, and the script provides no warning, authentication, or transport protection.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script appends prompt, event, location, image path, and timestamp data to a long-lived JSONL memory file without any user notice or consent. Even though the current inputs are often public-history themed, prompts or test events may contain user-supplied content, so undisclosed retention can leak private or identifying information and create unnecessary surveillance of usage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal