ClawHub

Visual Muse

Security checks across malware telemetry and agentic risk

Overview

Visual Muse appears to be a real ComfyUI image-generation skill, but it bundles broad admin and cleanup commands that users should review before installing or running.

Install only if you are comfortable running a local ComfyUI stack and reviewing shell scripts first. Avoid exposing ComfyUI on all network interfaces unless you intend remote access, do not run the session cleanup command without a verified backup, inspect the external switch-model.sh helper before using model switching, and assume prompts/preferences/run history may be stored locally and that Ofox-routed LLM requests may leave the machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The README explicitly says all model switching goes through the external Ofox service while earlier messaging emphasizes local ComfyUI generation, which can mislead users about what data leaves the machine. This is a real transparency and data-flow disclosure issue because user prompts may be sent to a third-party provider without clear upfront notice, affecting privacy, compliance, and trust.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documented write pattern rewrites the entire preferences.json file, which contradicts the stated append-only rule and can destroy prior history if concurrent updates, partial modifications, or logic bugs occur. Because this file is shared state for other agents, data loss or corruption can alter future behavior and weaken auditability of user preference changes.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script is not related to image generation logic; it changes the gateway's painter/LLM model inside a Docker container and restarts the gateway service. That is a capability/description mismatch that can mislead reviewers and users about the actual privileges exposed by the skill, increasing the chance that powerful operational controls are bundled without proper scrutiny.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This file can execute `docker exec` and `docker restart` against the `openclaw-gateway` container, giving the skill operational control over a core service well beyond generating images. In the context of a public-facing image skill, such control can be abused to disrupt service, alter runtime behavior by switching models, or serve as a stepping stone for broader container/host administration if exposed to untrusted triggers.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script allows the caller to supply an arbitrary output directory and then creates and writes files there without restricting the path to the skill workspace. In an agent context, this can be abused to place generated files in unexpected filesystem locations, overwrite or clutter shared directories, or exfiltrate outputs to locations with different access controls, which exceeds the image-generation purpose described for the skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises preference memory and run tracking but does not explain what user data is retained, where it is stored, or how long it persists. This creates a genuine privacy and informed-consent problem because prompts, stylistic preferences, and usage history may be collected or persisted without adequate disclosure.

Vague Triggers

Medium
Confidence
82% confidence
Finding
An overly broad trigger phrase such as asking to 'draw a picture' can easily match ordinary conversation, causing the skill to activate unexpectedly. In this context, unintended activation is more dangerous because the skill is associated with network, shell, file, and possibly installation behaviors, so accidental invocation could trigger costly or host-changing actions without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The troubleshooting guide instructs users to delete all session contents with `rm -rf ~/.openclaw/agents/main/sessions/*` while presenting it as routine cleanup, but it does not explicitly warn that this destroys conversation history, state, and potentially recoverable agent data. In an agent skill context, operators may paste commands verbatim, so missing data-loss warnings materially increases the chance of accidental destructive action.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The guide recommends overwriting the active workspace `SOUL.md` with `cp` but does not clearly warn that this replaces the currently effective agent configuration and may discard local customizations. Because OpenClaw prioritizes the workspace copy, this step changes runtime behavior immediately and could erase intentional per-agent settings.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger condition is broad enough to activate on ordinary conversation about tasks or preferences, which can cause the skill to read or modify persistent user data without a clear need. In a multi-agent environment, over-broad activation increases the chance of unnecessary file access and unintended state changes that influence downstream agents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill reads and persists user preference/history data but does not disclose retention, scope, or privacy implications to the user. This can lead to silent collection of behavioral data and long-term profiling, especially since the file is reused by other agents for future tasks.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are very broad and overlap with common conversational requests such as '生成图片' or '画一张图', which can cause the skill to auto-activate in situations where the user did not intend a local image-generation workflow. Because the skill also instructs the agent to execute immediately without asking clarifying questions, accidental activation can lead to unintended local command execution, resource consumption, and workflow side effects such as run tracking and file creation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is broad enough to trigger on a wide range of image-generation related requests, which can cause the agent to invoke this workflow-modification skill outside narrowly intended contexts. Over-broad activation increases the chance of unintended workflow selection or parameter rewriting, especially in multi-skill environments where prompt-routing mistakes can propagate into downstream rendering actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to execute a shell pipeline using user-derived prompt content without any user-facing disclosure or consent boundary. In this context the command is core to the image-generation workflow, but hidden shell execution still increases risk because it normalizes opaque command execution and could expose the system to command or argument injection if JSON construction is not safely escaped by the agent/runtime.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger condition '用户请求画图时触发' is overly broad and lacks clear scope boundaries, so the skill may activate on many loosely related requests involving images, diagrams, edits, or visual discussion. Overbroad activation increases the chance of unintended tool use, surprise execution, and bypass of normal user-confirmation patterns, especially because the skill is designed to immediately run a generation script in a single turn.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger condition "用户说评价、改进、优化图片时触发" is broad enough to activate on many ordinary image-related requests, which can cause the skill to run unexpectedly. In this skill, unintended activation is more concerning because the workflow includes filesystem inspection and logging, creating unnecessary access to local output files and side effects the user did not explicitly request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to list files in /home/node/ai-outputs/ and write a tracking log, but it does not disclose these side effects or request user consent. This is dangerous because it can expose metadata about other generated images and create persistent records even when the user only asked for image feedback, increasing privacy and transparency risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The tracker persistently stores full run records including request, prompt, workflow_config, render_result, critic_result, model/template choices, and errors to disk. In an image-generation skill, these fields can contain sensitive user prompts, internal workflow details, or metadata that later becomes accessible to other local processes, operators, backups, or support tooling without explicit user disclosure or minimization.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal