ClawHub
Back to skill

Security audit

GLM Image Generator

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed image generator, but it automatically searches broad local credential/config files and may use a generic key without clear user selection.

Install only if you are comfortable with the skill reading local config and .env files to find GLM or OpenRouter keys. Prefer setting an explicit GLM_API_KEY or OPENROUTER_API_KEY for the session and avoid relying on generic api_key entries in ~/.claude/config.json or ~/.env. Use --provider to choose where prompts are sent, and avoid putting sensitive information in image prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Tainted flow: 'image_url' from requests.post (line 191, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
filename = f"{timestamp}_{safe_prompt}.png"
    filepath = os.path.join(output_dir, filename)

    img_response = requests.get(image_url, timeout=60)
    img_response.raise_for_status()
    with open(filepath, "wb") as f:
        f.write(img_response.content)
Confidence
89% confidence
Finding
img_response = requests.get(image_url, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill performs privileged actions including reading environment variables, reading local config files, making network requests, and writing files, but it does not declare those capabilities. That weakens review and consent boundaries because users and platforms cannot accurately assess what the skill can access before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The manifest says the skill generates images using GLM-Image, but the instructions also enable OpenRouter, automatic credential discovery across multiple sources, cost/metadata queries, and local file downloads. This mismatch is dangerous because it hides materially different data flows and external dependencies from anyone relying on the manifest for trust and approval decisions.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill is presented as a GLM-Image generator but also supports OpenRouter and multiple third-party models/providers. That mismatch increases the risk of users unknowingly sending prompts and metadata to a different external service than the skill description suggests, which is a security and privacy trust-boundary issue.

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The code searches multiple unrelated config and .env locations, including user home directories, to discover API keys. In a skill context, broad credential harvesting behavior exceeds minimal need, can unintentionally use secrets the user did not intend for this skill, and expands the blast radius if the skill is abused or repurposed.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger text is very broad and can activate on generic phrases like 'draw' or 'any image generation request,' increasing the chance the skill runs in contexts the user did not intend. Overbroad invocation raises the risk of unnecessary credential checks, network calls, and file writes triggered by ordinary conversation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The description advertises broad natural-language triggers such as "generate an image of" and "draw," which can match ordinary user conversation without clear scoping or boundary conditions. In an agent environment, this increases the chance of unintended invocation, causing the skill to intercept requests it should not handle and potentially execute external image-generation actions unexpectedly.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest trigger list contains short, ambiguous phrases like "draw a" and "generate an image" that lack clear boundaries and are likely to overlap with benign conversation. Because this skill has exec permission, accidental matching is more dangerous: a false trigger could launch code or external API calls, creating unintended actions, cost, and privacy exposure.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
```bash
python3 -c "
import os, json, pathlib
glm = bool(os.environ.get('GLM_API_KEY'))
orouter = bool(os.environ.get('OPENROUTER_API_KEY'))
if not glm and not orouter:
    for p in ['~/.openclaw/config.json', '~/.claude/config.json']:
Confidence
97% confidence
Finding
os.environ.get('GLM_API_KEY

Env Variable Harvesting

High
Category
Data Exfiltration
Content
python3 -c "
import os, json, pathlib
glm = bool(os.environ.get('GLM_API_KEY'))
orouter = bool(os.environ.get('OPENROUTER_API_KEY'))
if not glm and not orouter:
    for p in ['~/.openclaw/config.json', '~/.claude/config.json']:
        try:
Confidence
97% confidence
Finding
os.environ.get('OPENROUTER_API_KEY

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal