ClawHub

Openclaw Media Gen

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AIsa media-generation client that sends prompts to AIsa and saves returned image or video files locally.

Install only if you trust AIsa with your prompts, generated media requests, and AISA_API_KEY usage. Treat the key as billable/sensitive, review API usage after first runs, and choose output paths carefully because the script may overwrite files at the path you provide.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Tainted flow: 'req' from os.environ.get (line 94, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
os.makedirs(os.path.dirname(out_path) or ".", exist_ok=True)
    req = urllib.request.Request(url, headers={"User-Agent": "AIsa-Media-Gen/1.0"})
    try:
        with urllib.request.urlopen(req, timeout=timeout_s) as resp, open(out_path, "wb") as f:
            total = 0
            while True:
                chunk = resp.read(1024 * 1024)  # 1MB
Confidence
86% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout_s) as resp, open(out_path, "wb") as f:

Tainted flow: 'out_path' from os.environ.get (line 406, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
os.makedirs(os.path.dirname(out_path) or ".", exist_ok=True)
    req = urllib.request.Request(url, headers={"User-Agent": "AIsa-Media-Gen/1.0"})
    try:
        with urllib.request.urlopen(req, timeout=timeout_s) as resp, open(out_path, "wb") as f:
            total = 0
            while True:
                chunk = resp.read(1024 * 1024)  # 1MB
Confidence
88% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout_s) as resp, open(out_path, "wb") as f:

Tainted flow: 'out_path' from os.environ.get (line 406, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
return 1
        mime, data = images[0]
        out_path = args.out or _safe_filename(_ext_from_mime(mime))
        with open(out_path, "wb") as f:
            f.write(data)
        _print_json({"success": True, "route": route, "model": args.model, "mime_type": mime,
                     "saved_to": out_path, "images_returned": len(images)})
Confidence
88% confidence
Finding
with open(out_path, "wb") as f:

Tainted flow: 'out_path' from os.environ.get (line 406, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
kind, data, url = images[0]
        out_path = args.out or _safe_filename("png")
        if kind == "b64" and data is not None:
            with open(out_path, "wb") as f:
                f.write(data)
            _print_json({"success": True, "route": route, "model": args.model,
                         "saved_to": out_path, "images_returned": len(images),
Confidence
88% confidence
Finding
with open(out_path, "wb") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares access to an API key and uses a networked Python client, but it does not expose any explicit permission model or user-facing disclosure of those capabilities. In an agent environment, this can cause the skill to be invoked without the operator clearly understanding that secrets may be read from the environment and transmitted to an external service.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description says to use the skill whenever the user needs creative generation, asset drafts, or media workflows, which is broad enough to match many normal conversations. Over-broad routing increases the chance that the agent will invoke a networked, API-key-backed skill unnecessarily, exposing prompts or metadata to a third party when a local or non-tool response would have been sufficient.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The 'When to use' guidance is general and does not impose meaningful constraints before activating a tool with network and secret access. In context, this makes the skill more dangerous because the same broad criteria govern a capability that can send user-provided prompts to an external media service, increasing accidental data disclosure and unnecessary tool use.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal