Back to skill

Security audit

Sketch Illustration

Security checks across malware telemetry and agentic risk

Overview

This skill is an illustration generator, but it uses shared local credentials and can automatically send generated images to a hardcoded Feishu recipient, so users should review it before installing.

Install only if you intend generated prompts/images to be processed by external image APIs and sent through Feishu. Before use, review or change scripts/send_to_feishu.sh, especially the default open_id, and avoid sensitive or proprietary content unless the Feishu destination, account credentials, and third-party model processing are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes file paths under /root/myfiles/, reads local reference files, and performs outbound network actions via Feishu upload/send, yet no permissions are declared. This creates a transparency and policy-enforcement gap: reviewers and runtime controls cannot accurately assess or constrain what the skill can access or transmit.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The documented behavior promises a general-purpose illustration skill with five styles, but the finding indicates implementation depends on a narrower fixed generation pipeline and an undeclared external service. Behavior-description mismatch is dangerous because users and reviewers may approve or invoke the skill under false assumptions about what it generates and where data is sent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The document claims this stage only packages prompts, but later authorizes the agent to directly execute remote batch image-generation requests. That mismatch can cause operators or downstream agents to perform networked side effects under a packaging-only phase, increasing the chance of unintended data transmission and execution without a clearly scoped consent boundary.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file presents stage 4 as a non-editing packaging step, yet also defines an operational workflow that performs batch API execution. This internal inconsistency is risky because agents may treat the stage as low-risk formatting work while still carrying out external actions, which weakens review and approval expectations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented workflow expands a nominally image-generation skill into executing local scripts and making credentialed external API calls, which materially increases the skill's operational scope. That creates a path for unintended code execution, external data transmission, and misuse of local environment resources beyond what a user would reasonably expect from an illustration helper.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The workflow explicitly references reading a local API configuration file containing credentials for external API use, even though the skill is presented as an illustration-generation skill rather than a credentialed integration tool. This can lead to unauthorized access to local secrets and silent use of those credentials to send user content to third-party services.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script reads a provider API key directly from a global config file under /root and exports it into the environment, even though the skill's stated purpose is image generation. While the key may be needed for a backend model call, pulling it from a broad shared configuration increases credential exposure and couples the skill to privileged host secrets beyond a narrowly scoped skill boundary.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill falls back to reading an API key from ~/.openclaw/openclaw.json, which is an unrelated local user configuration source. Accessing broader local config files than necessary increases secret exposure and can unintentionally reuse credentials from another tool without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The wrapper silently reads Feishu app credentials and domain from a global host config file, giving this skill access to secrets and messaging capabilities beyond what its simple CLI interface suggests. In the context of an auto-triggered illustration skill that uploads generated images to Feishu, hidden credential access increases the risk of unauthorized external transmission and makes review/auditing harder.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The documented interface claims only an image path and optional open_id are needed, but the script also depends on hidden local Feishu credentials and configuration. This mismatch obscures the true privilege and network requirements of the skill, undermining informed consent and security review.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger covers very broad illustration-related requests, making accidental invocation likely in ordinary conversations. Overbroad triggering increases the chance the skill runs when the user did not intend image generation or external sending, especially given the Feishu transmission behavior described elsewhere.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill states that generated images are automatically uploaded and sent to Feishu but does not clearly warn the user that content will be transmitted to an external messaging platform. This can expose sensitive prompts, embedded text, or generated diagrams to unintended recipients without informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The execution flow operationalizes external upload and sending through a Feishu script, but the instructions do not require explicit confirmation or recipient verification at send time. As a result, generated files can be automatically shared outside the local environment, creating a direct data-exfiltration path if the content is sensitive or the recipient is incorrect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions tell the agent to execute a batch API request immediately after the user selects the batch option, without a final warning about network transmission, external processing, possible costs, or what data will be sent. In a skill that auto-uploads generated images to Feishu, this increases the risk of unintended disclosure and surprise side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instruction to proceed directly with JSONL generation and execution after the user selects batch mode removes a final confirmation checkpoint before an external action occurs. This increases the chance of accidental outbound requests, unintended charges, or transmission of sensitive prompt content without a clear last-mile consent step.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The batch API guidance describes using local configuration and request packs for external calls but does not disclose that prompts and related content will be transmitted to a third-party API. In a skill context, missing disclosure weakens informed consent and can expose sensitive business or personal content embedded in prompts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
A sensitive API credential is accessed and exported without any user-facing disclosure, so users cannot tell that running this skill consumes a privileged secret from the host environment. This reduces transparency and makes misuse or unintended credential exposure harder to detect, especially in multi-skill or shared-runner environments.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script invokes a Python generator that likely performs network-backed model inference, but there is no visible indication to the user that prompt content and generated data may be sent to an external service. In an illustration skill this behavior is expected, but undisclosed network transmission still creates privacy, compliance, and cost-consumption risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
User-supplied prompt text is sent to an external third-party API, but the code provides no explicit disclosure or consent mechanism about that network transfer. In a skill context, prompts may contain sensitive business or personal information, making silent transmission a privacy and data-governance risk.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The script sources credentials from environment variables or a local config file without telling the user. While common in CLI tools, undisclosed credential sourcing can surprise users and reduce transparency, especially when combined with outbound requests to a third-party API.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script extracts Feishu app credentials from a local configuration file and forwards them to another program without any user-facing disclosure. Passing secrets across process boundaries increases exposure through process inspection, logs, crash dumps, or misuse by the downstream script.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically performs an outbound Feishu send operation, transmitting a local file off-host, but provides no visible warning or confirmation. In this skill's context, automatic upload is part of the advertised behavior, yet the lack of transparency still makes accidental exfiltration of sensitive local images more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.