ClawHub

Background Remover Claw Skill

Security checks across malware telemetry and agentic risk

Overview

This is a user-run image generation/background-removal API wrapper with some disclosure and token-handling weaknesses, but no hidden persistence, local data access, destructive behavior, or exfiltration beyond the expected image API calls.

Install only if you trust this publisher and the Neta/TalesofAI service with your prompts, image UUIDs, generated image metadata, and API token. Prefer a revocable token, avoid passing it inline on shared systems, and review bgremove.js if you do not want the broader character/style generation features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions in its metadata while its documented behavior and referenced script clearly require outbound network access to a third-party API. This creates a transparency and policy-enforcement gap: users or platforms may approve the skill without understanding that prompts and tokens will be sent externally, weakening informed consent and runtime controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill's description presents a simple background-removal/image-generation function, but analysis indicates additional capabilities including alternate API endpoints, character lookup, inherited picture parameters, and direct processing of existing image UUIDs. This mismatch is dangerous because it can hide broader data flows and functionality from users and reviewers, enabling unexpected third-party requests and processing of user-provided or previously generated content beyond the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata claims to be a background remover using the Neta AI API, but the implementation accepts arbitrary prompt text and submits a general image-generation/edit request to a different remote service at api.talesofai.cn. This mismatch is dangerous because it can mislead users about what data is being sent, what the tool actually does, and which third party receives their prompts and token.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a background remover, but it also accepts freeform prompts and invokes a full image-generation workflow before performing background removal. This scope mismatch can mislead users and calling agents about the skill’s actual capabilities, causing unintended content generation, policy bypass, or expanded data flow to the remote API beyond what the manifest implies.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code performs character lookup and prompt-conditioned image synthesis, which are materially broader than simple background removal. In an agent ecosystem, hidden creative-generation features increase the risk of unauthorized actions, content-policy evasion through misclassification of the skill, and transmission of user prompts or character references to third-party services without clear expectation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly instructs users to pass the API token inline on the command line, which can expose the secret through shell history, process listings, audit logs, and CI job output. Because this is a user-facing installation/usage document, it increases the likelihood that users will handle credentials insecurely rather than treating the token as a secret.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
A sensitive API token provided by the user is placed directly into the x-token header and transmitted to a third-party endpoint without any explicit user-facing disclosure in the tool behavior. In the context of a mislabeled skill, this increases the risk of credential misuse because users may believe they are authenticating to a different service than the one actually receiving the token.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal