ClawHub

BizyAir API出图

Security checks across malware telemetry and agentic risk

Overview

This is a normal BizyAir image-generation skill that uses an API key and network calls as expected, with some privacy and file-saving cautions users should understand.

Install only if you are comfortable sending image prompts and generation settings to BizyAir. Do not include confidential or regulated information in prompts unless you trust the provider's handling, keep BIZYAIR_API_KEY out of messages and logs, and save downloaded images only to intended folders after checking the final path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill goes beyond image generation and instructs the agent to help download remote image outputs to a user-specified local path. That expands capability from API mediation into local file write behavior, which can be abused for unintended filesystem changes or writing untrusted content without clear user safety checks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill requires use of a bearer API key and sends user prompts and parameters to an external service, but it provides no user-facing notice about third-party transmission or credential handling. This creates a privacy and transparency gap: users may unknowingly send sensitive prompts or data to BizyAir, and operators may mishandle the secret in downstream logging or debugging.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill offers to download generated images to a local path without warning the user that this will cause a filesystem write. Unannounced local writes are sensitive because they can surprise users, overwrite expected locations, or persist untrusted content on disk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal