ClawHub
Back to skill

Security audit

A Python CLI skill for Cutout.Pro visual APIs — background removal, face cutout, and photo enhancement. Supports file upload & image URL input.

Security checks across malware telemetry and agentic risk

Overview

This is a user-directed Cutout.Pro image-processing skill, but users should know their selected images and optional face landmark data are sent to Cutout.Pro.

Install only if you are comfortable sending selected images or image URLs to Cutout.Pro and using your Cutout.Pro credits. Avoid sensitive photos, confidential documents, internal image URLs, or identifiable faces unless you have permission and accept third-party processing; keep CUTOUT_API_KEY private and do not commit .env files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to upload local images or provide image URLs to a third-party visual processing API, but it does not clearly warn that image contents and associated metadata may be transmitted off-device and handled by an external service. This can lead users to unknowingly send sensitive personal, biometric, or confidential images to a remote processor, which is especially important here because the skill supports face cutout and enhancement features involving potentially sensitive facial data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill processes user-provided images and URLs via the external Cutout.Pro service, but the user-facing description does not clearly warn that those inputs leave the local environment. That omission can lead to unintended disclosure of sensitive personal photos, biometric face data, or internal image URLs to a third-party processor.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Although the document mentions credit consumption later, it does not provide a clear upfront user warning that each API call may consume paid credits. This can cause unauthorized or unexpected spend, especially if the skill is integrated into automated workflows or repeatedly retried.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to upload images and send an API key to a third-party service but does not disclose the privacy and data-handling implications. This can lead to unintentional exfiltration of sensitive images or credentials to an external processor without informed user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The face analysis option returns facial landmark data, which is sensitive biometric-style metadata, yet the documentation does not warn users that such data may be generated, transmitted, and exposed in responses. Users may unknowingly process regulated or highly sensitive face data, increasing privacy, compliance, and misuse risks.

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    'https://www.cutout.pro/api/v1/matting2?mattingType=3&faceAnalysis=true',
    files={'file': open('/path/to/portrait.jpg', 'rb')},
    headers={'APIKEY': 'your_api_key_here'},
Confidence
84% confidence
Finding
requests.post( 'https://

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal