ClawHub

IMA AI Image & Photo Generator — Poster, Thumbnail, Logo, Art, Illustration, Product & Social Media Graphic Design

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed IMA image-generation integration, but users should understand that prompts, selected images, and an IMA API key are sent to IMA services and small local preference/log files are kept.

Install only if you are comfortable providing an IMA API key and spending IMA credits through this skill. Avoid using sensitive images unless you are comfortable uploading them to IMA's generation and media-upload services, consider a low-quota or test key first, and clear ~/.openclaw/memory/ima_prefs.json or ~/.openclaw/logs/ima_skills/ if you do not want local traces retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill's description understates materially relevant behaviors: it persists user preferences locally, may upload user-supplied local images to a separate service domain, enumerates provider models, and performs adaptive retry logic. These are not inherently malicious, but they create privacy, transparency, and data-handling risks because users may not expect local persistence or third-party transfer beyond the named API domain.

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
The skill explicitly stores persistent per-user preferences and local logs, which creates avoidable retention of user-associated metadata beyond core image generation. Even if described as benign, this increases privacy risk, enables profiling over time, and may expose user behavior or identifiers if the local environment is shared or compromised.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The keyword list includes extremely generic phrases such as broad variations of 'AI image generator', 'image generator', and related high-level capability terms that are likely to match many ordinary user requests outside this skill's intended invocation boundaries. This can cause over-triggering or unintended routing to the skill, increasing the chance that unrelated requests are intercepted and processed in the wrong context.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Python dependencies for ima-ai-image-photo-generator skill
# Install with: pip install -r requirements.txt

requests>=2.25.0
Confidence
95% confidence
Finding
requests>=2.25.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
91% confidence
Finding
requests

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal