ClawHub

Tensorslab Image

Security checks across malware telemetry and agentic risk

Overview

This is a functional TensorsLab image-generation skill, but its built-in watermark-removal and undetectable face-replacement workflows need human review before installation.

Install only if you are comfortable sending prompts and selected images to TensorsLab and using an API key that may spend account credits. Avoid or modify the watermark-removal and face-replacement workflows unless you own the content, have explicit permission from depicted people, and are not creating deceptive or impersonation media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly requires environment variable access, shell execution, network communication, and local file writes/uploads, yet no explicit permissions are declared. This creates a transparency and governance gap: an agent may exercise sensitive capabilities without clear user/admin approval, increasing the risk of unintended data exposure or unsafe execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to upload local images to an external API and save generated outputs locally, but it does not clearly warn users that selected files leave the local environment. This can cause accidental disclosure of sensitive images, metadata, or proprietary content, especially in image-to-image and editing workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly provides step-by-step prompts and commands for watermark removal without any guardrails, authorization checks, or warning about copyright and ownership implications. In an image-editing skill, this meaningfully increases misuse risk by enabling removal of attribution, branding, or ownership markings from third-party content.

Missing User Warnings

High
Confidence
97% confidence
Finding
The face replacement scenario gives detailed instructions for swapping faces and emphasizes making the result 'natural and undetectable' without any mention of consent, identity misuse, impersonation, or disclosure requirements. This materially raises the risk of deceptive media creation, harassment, fraud, and non-consensual image manipulation, making the context more dangerous than ordinary benign photo editing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal