ClawHub
Back to skill

Security audit

Pipeworx dicebear

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but users should avoid using emails or other personal identifiers as avatar seeds because they may be sent to remote avatar services and appear in URLs.

Install only if you are comfortable using a remote avatar service. Use random, pseudonymous, or hashed seed values, not raw emails, usernames tied to real people, customer IDs, or regulated data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly suggests using usernames and email addresses as avatar seeds while relying on a remote service, but it does not warn that those values will be transmitted to third-party endpoints and may appear in generated URLs. This creates a privacy risk because personally identifiable information can be exposed to the service provider, logs, browser history, referrers, and downstream systems consuming the URL.

External Transmission

Medium
Category
Data Exfiltration
Content
openclaw:
    requires:
      bins:
        - curl
    emoji: "👤"
    homepage: https://pipeworx.io/packs/dicebear
---
Confidence
85% confidence
Finding
curl emoji: "👤" homepage: https://pipeworx.io/packs/dicebear --- # DiceBear Avatars Generate deterministic, unique avatars from any seed string. Same seed always produces the same avatar. Ch

External Transmission

Medium
Category
Data Exfiltration
Content
```json
{
  "url": "https://api.dicebear.com/7.x/bottts/svg?seed=alice",
  "style": "bottts",
  "seed": "alice"
}
Confidence
88% confidence
Finding
https://api.dicebear.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal