ClawHub

Fashion Colorize Shell

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it colorizes user-provided garment sketches through a disclosed remote image-generation endpoint, with privacy considerations users should understand.

Install only if you are comfortable uploading the selected apparel sketches, optional reference images, and design brief to https://models.kapon.cloud for processing. Use a dedicated or restricted API key when possible, and avoid submitting confidential or unreleased designs unless that external processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs use of an environment-provided secret (`GEMINI_API_KEY`) and an external API endpoint, but the metadata shows no declared permissions or capability disclosure for environment access. This creates a trust and policy gap: an agent may access sensitive environment data without explicit declaration, making review, sandboxing, and least-privilege enforcement harder.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends user-supplied sketch images, optional style-reference images, and freeform brief text to a remote inference endpoint at a fixed third-party base URL without any explicit disclosure, consent prompt, or data-handling notice in the tool itself. In a design workflow, these inputs may contain proprietary product concepts or sensitive commercial assets, so silent transmission creates a real privacy and data-governance risk even if it is functionally required.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal