ClawHub

Codex Image Server

Security checks across malware telemetry and agentic risk

Overview

The skill matches its image-server purpose, but the included server template needs review because it exposes powerful local endpoints broadly and can send prompts or reference images to OpenAI automatically.

Review before installing or copying the template. Use it only in trusted projects, bind it to 127.0.0.1, add authentication, restrict CORS to trusted origins, choose the backend explicitly, remove OPENAI_API_KEY from the environment unless remote processing is intended, avoid returning absolute paths, and sanitize image IDs before serving files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to inspect installations/source repos and to add and exercise a local HTTP server, which implies filesystem, environment, and network access, yet it declares no permissions. That mismatch can cause the skill to run with broader implicit capabilities than reviewers or enforcement systems expect, weakening least-privilege controls and making misuse harder to detect.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The default prompt is broad enough to trigger on generic project-setup requests, causing the skill to be implicitly invoked in situations where the user did not clearly ask to expose a local HTTP image server. Because this skill adds networking/server functionality, accidental invocation can expand attack surface, modify project architecture, or introduce unsafe defaults without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When the backend resolves to OpenAI, user prompts and reference images are transmitted to api.openai.com, but this file provides no authentication, authorization, consent gate, or user-visible indication that local inputs may leave the machine. In the context of a skill marketed as a local HTTP image server for local workflows and plugins, that hidden data egress creates a meaningful privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal