ClawHub

图片生成技能 - 支持动态 API 配置和任务记忆,根据 Token 自动获取可用功能,支持文生图和图生图

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation skill, but it handles API tokens and uploaded images in ways users should review carefully before installing.

Review before installing. Use only a limited, revocable GNano token, assume the token is sent to the configured GNano API and may appear in command output or local task files, avoid custom API URLs unless you trust them, do not submit sensitive reference images, and delete any .workbuddy/gnano-tasks state when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill clearly performs remote API interactions (`get_config.py`, `generate_image.py`) but does not declare network permissions. Hidden or undeclared network capability reduces transparency and can cause users or hosting platforms to underestimate the data exposure surface, especially since prompts, tokens, and reference images are sent off-box.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation says the token is 'only saved locally and not transmitted externally,' but the described workflow necessarily uses the token to authenticate to a remote API. This is a misleading data-handling claim that can cause users to disclose credentials under false assumptions about where those credentials go.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The capability probe treats network failures and unexpected server responses as if the token were valid, then falls back to known models. That can mislead downstream logic into operating with unverified credentials and inferred capabilities, causing security-relevant trust decisions to be made on false assumptions and potentially masking connectivity or authentication problems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs storage of user-provided API tokens in per-conversation task-state files without a clear warning about credential retention. Persisting secrets increases exposure to accidental leakage through local file access, backups, logs, or other workspace tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples show user prompts and reference images being used for image generation via a remote API, but there is no clear warning that this content leaves the local environment. This omission is especially sensitive because reference images may contain personal or intimate data and prompts may contain confidential information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script reads local reference images, base64-encodes them, and includes them in the JSON payload sent to a remote API. Although this is functionally required for image-to-image generation, there is no explicit user-facing warning or confirmation that local files will be transmitted off-host, which can lead to unintended disclosure of sensitive images in an agent/skill context.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script prints the supplied API token back to stdout in its JSON output, which can expose credentials in terminal history, logs, CI job artifacts, process captures, or calling applications that record output. In a skill context, this is especially dangerous because automation frameworks frequently collect and persist stdout, turning a single invocation into credential leakage.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill explicitly tells the agent to remember and persist user API tokens across the task session. Persisted credentials materially increase the blast radius of any local compromise, misconfigured permissions, unintended workspace sharing, or subsequent prompt leakage that exposes state.

Ssd 3

High
Confidence
98% confidence
Finding
The configuration output example includes returning the user's API token as a normal field and displaying it in workflow data. Exposing secrets in command output or UI text makes accidental disclosure through logs, screenshots, transcripts, shell history, or debugging artifacts much more likely.

Ssd 3

High
Confidence
99% confidence
Finding
The documented task-state schema stores the full API token in per-conversation local files. Storing plaintext credentials on disk creates a straightforward secret-at-rest exposure that can be exploited by any process, plugin, user, backup system, or artifact collection mechanism with workspace access.

Ssd 3

Medium
Confidence
94% confidence
Finding
The notes direct the assistant to keep the user's token in local task state for later reuse, normalizing credential retention without emphasizing the security tradeoff. Reuse convenience increases the chance that a later unrelated action, state dump, or workspace exposure reveals the secret.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal