ClawHub

图可丽视觉api

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tukeli image-processing API wrapper, with privacy and API-key cautions users should understand before use.

Install only if you are comfortable sending selected images, image URLs, Base64 image data, face-analysis requests, and AI background prompts to Tukeli's external API. Avoid regulated or private face images unless you have consent and an appropriate data-handling basis. Protect TUKELI_API_KEY because API calls can spend account credits, and review or delete generated .meta.json files if local file paths or source URLs are sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill describes image processing features but does not clearly warn that user-supplied images or image URLs are transmitted to Tukeli's third-party API for processing. This is dangerous because users may provide sensitive or private images without understanding that the content leaves the local environment and becomes subject to a remote provider's handling, retention, and logging practices.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The setup instructions tell users to place `TUKELI_API_KEY` in `.env` but do not warn about credential-handling risks such as accidental check-in, exposure in logs, or reuse of privileged keys. This can lead to API key leakage and unauthorized use of the account, especially in shared development environments or when debugging command outputs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly instructs users to upload images, submit image URLs, and optionally request face landmark analysis, but it does not disclose that these images and derived biometric-related data are sent to a third-party service. This creates a real privacy and compliance risk because users or downstream integrators may process sensitive personal data without informed consent, proper notice, or data-handling controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal