Back to skill

Security audit

Skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends selfie-style prompts to ClawGirl, uses a ClawGirl API key, and saves generated images locally.

Install only if you trust clawgirl.date with your ClawGirl API key and the prompts you use for selfie or outfit requests. Prefer setting CLAWGIRL_API_KEY explicitly, be aware broad image-related requests may consume quota, and periodically remove generated images from the OpenClaw media directory if you do not want them retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares use of environment variables in metadata but does not clearly declare a formal permission model for code capabilities. This creates transparency and review gaps: operators may install the skill without understanding it accesses secrets and external services. In a skill that sends user prompts to a remote API, incomplete capability disclosure increases the risk of unintended data exposure and weakens informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
A description-behavior mismatch is security-relevant because users and reviewers may approve the skill for image generation while it also reads credentials from local configuration, writes files, and returns arbitrary text responses. Those extra behaviors expand the attack surface beyond the stated purpose and can enable secret exposure, unexpected local persistence, or covert non-image interactions through a trusted-looking skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script searches multiple files under the user's home directory, including backup configuration files, to recover an API key. That expands access to sensitive credentials beyond what is necessary for a selfie-generation feature and can silently consume secrets from stale or unintended sources. In this skill context, reading backup copies is especially unjustified and increases the risk of unauthorized credential use.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad trigger phrases like 'photo', 'show me', or 'give me a look' can activate the skill during normal conversation, causing raw user content to be sent to an external service unexpectedly. Because this skill generates media and may store files locally, accidental activation has privacy and consent implications beyond a simple mistaken reply.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Subjective activation rules such as 'user wants the character to show current look' are hard to evaluate safely and can cause the skill to trigger based on inference rather than clear user intent. In this context, that means conversations may be forwarded to a third-party API or produce stored media without explicit consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly says to pass the user's original words directly, but it does not warn that those raw prompts are transmitted to an external image-generation API. This omission undermines privacy expectations and informed consent, particularly if users include sensitive personal, relationship, or sexualized content in prompts.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The output format indicates generated images may be downloaded and stored on local disk, but the skill description does not warn users or operators about local file creation. Undisclosed file writes can create privacy, retention, and disk-usage concerns, especially on shared or managed systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends the user's prompt and bearer credential to an external domain without any in-file notice, consent flow, or trust boundary explanation. While contacting the vendor API may be functionally required, undisclosed transmission of user content and credentials is still a security/privacy issue because users and integrators may not realize what data leaves the host. For a consumer-style 'AI girlfriend selfie generator' skill, that hidden exfiltration risk is more concerning because the prompts may be intimate or sensitive.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script reads sensitive credentials from both environment variables and local configuration files, including backups, without transparent disclosure in the file's user-facing behavior. Secret harvesting from local config materially increases the attack surface and can surprise operators who expected only explicit environment-based configuration. In context, this is more dangerous because the skill's stated purpose does not require broad secret discovery behavior.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.