ClawHub

ChatArt

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but its authentication and debug behavior can expose account credentials and device-identifying information in logs.

Review before installing. Use this only if you are comfortable sending prompts, local media, and generated-asset URLs to ChatArt/Alibaba-backed cloud services, and avoid private files or internal URLs. The publisher should remove raw debug logging of tokens/responses and make local logout unconditional before this is low-risk for shared or managed environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (23)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The auth helper builds a persistent device fingerprint from username and hardware/system attributes that are unrelated to the stated image/video generation purpose. This enables cross-session device tracking and transmits identifying host metadata to the service without clear necessity or consent, creating avoidable privacy and security risk.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation says logout removes saved credentials, but the implementation only deletes the local credential file if a remote unbind call succeeds. A network failure or server-side rejection can therefore prevent local logout, leaving valid secrets on disk contrary to user expectation.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The credential-saving helper is documented as handling approved OAuth responses, but the polling logic saves credentials whenever the outer response code equals 200 before validating approval state. If the server returns account or token material in a non-approved state, the client would persist it prematurely and blur security state handling.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The client accepts absolute URLs whenever the provided path does not start with '/', allowing requests to destinations outside the intended ChatArt API domain. In a skill context, attacker-controlled or model-influenced input could turn this into arbitrary outbound requests, enabling data exfiltration, SSRF-style access to internal services, or credential leakage via attached auth headers.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
put_file uploads any local file path to any provided upload URL without validating either the destination host or the file being sent. If an attacker can influence these arguments, the skill can exfiltrate arbitrary local files to external infrastructure, which is especially dangerous in an agent environment that may have access to user data or secrets.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script’s behavior materially differs from the skill manifest: instead of only supporting generation/editing workflows, it retrieves account credit and detailed usage history. This creates a scope-transparency problem that can expose account metadata, task history, and generated media URLs to users or downstream tooling that did not expect account-inspection capabilities.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The CLI labels the feature as credit management/usage history, but the code actually retrieves image/video history entries including task IDs, statuses, and media URLs. Mislabeling sensitive functionality can mislead users, reviewers, or orchestrating agents into authorizing broader data access than intended, increasing the risk of inadvertent privacy leakage.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code accepts arbitrary HTTP/HTTPS URLs and downloads them to local storage in get_video_duration/download_video without allowlisting, size limits, content-type validation, or network destination restrictions. This creates a server-side request forgery and untrusted file download surface that can be abused to reach internal services or exhaust disk/bandwidth when the skill runs in a privileged environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
print_result downloads a video from result.message.url into a user-specified output directory, trusting a URL returned by the remote service. If that service is compromised, misconfigured, or attacker-influenced, the skill will fetch arbitrary content and write it locally, enabling SSRF-like network access and untrusted file creation on disk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documentation states that local files are auto-uploaded and result links are returned, but it does not present this as a clear privacy warning to the user. That creates a risk of unintended transmission of sensitive local media or third-party content to external ChatArt services without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill mentions that authentication is required and that environment variables are handled automatically after login, but it does not clearly warn that login state and credentials are stored locally. Local persistence of auth material increases the risk of account compromise on shared or multi-tenant systems if users are not informed and safeguards are weak.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `status` command is documented to display personally identifiable information (uid, email, name) and a masked portion of the API key without any warning to avoid echoing that data into chat transcripts, logs, screenshots, or shared terminals. Even partially masked secrets and account identifiers can aid account correlation, support social engineering, and leak private account metadata.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `accountswitch` flow performs destructive actions—server-side unbinding and deletion of the local credentials file—before completing re-authentication, but the documentation provides no strong user-confirmation or warning requirements. This can cause unintended account disruption, loss of the current authenticated session, or confusion if triggered in the wrong context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly allows local file paths and remote URLs as inputs for frames, images, and videos, but does not warn users that these assets may be uploaded to or fetched by an external service. This can lead to unintentional disclosure of sensitive local media, internal URLs, or private content to third-party systems, especially in an agent-driven workflow where users may not realize transmission occurs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation encourages supplying local files or remote URLs to an external video-processing service without clearly warning that the referenced media may be uploaded off-device and processed by a third party. In a media-editing skill that handles personal images and videos, this can lead users to transmit sensitive biometric, personal, or proprietary content without informed consent or understanding of privacy implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly describes local media uploads and authenticated requests to third-party cloud services, but does not warn users that prompts, images, videos, and related metadata will leave the local environment. In an agent/skill context, this omission is security-relevant because users may unknowingly expose sensitive media, account-linked data, or proprietary content to external providers.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script prints raw fingerprint source data including username, machine, platform, and processor information to stdout. This unnecessarily exposes host-identifying information to terminal logs, wrappers, CI logs, or parent applications that may capture output.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code prints the full token endpoint response, which may include access tokens, API keys, email addresses, identity identifiers, or other account data. Exposing this data in stdout/stderr can leak secrets to shell history substitutes, logs, host applications, or shared environments.

Missing User Warnings

High
Confidence
96% confidence
Finding
The initialization response is printed in full, potentially exposing verification URLs, device/session identifiers, token endpoints, and other login metadata. Such data can be sensitive in device-flow authentication and may aid session hijacking or account correlation if logs are exposed.

Missing User Warnings

High
Confidence
99% confidence
Finding
Debug logging prints self.headers, which includes the Token and Identity-Id authentication values, and also logs request/response bodies. These logs can expose active API credentials and potentially sensitive user content to console output, log aggregators, or downstream systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code prints the full response body from the upload-policy endpoint, which likely contains temporary OSS credentials such as AccessKeyId, AccessKeySecret, and SecurityToken. In a skill environment, stdout/stderr may be captured by logs, telemetry, or other operators, allowing credential disclosure and unauthorized uploads or broader abuse of the storage bucket during token validity.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill prints the full request body, which may include user prompts, local file references, uploaded file IDs, and potentially sensitive creative or proprietary data. In shared logs, CI systems, agent traces, or multi-tenant environments, this becomes an information disclosure issue because sensitive inputs are exposed more broadly than necessary.

Ssd 3

Medium
Confidence
88% confidence
Finding
The subcommand description says `status` shows uid, email, name, and a masked API key, which normalizes exposing account-identifying data and secret-adjacent material in operator-visible output. In an agent setting, such output may be surfaced to users, stored in logs, or included in telemetry, increasing privacy and credential handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal