ClawHub

Creative Media

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed hosted creative-media integration, but users should understand that prompts, media, outputs, and spending flow through an external Image Skill service.

Install this only if you are comfortable using Image Skill's hosted service for media generation and with its npm CLI being run by agents. Avoid sending confidential, regulated, personal, or unreleased assets unless you have approved that external processing and storage, and allow spend only when you intend to use paid media generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill’s trigger guidance is overly broad, telling agents to use it for vague categories like 'generative media' and 'creative media' without clear boundaries, exclusions, or consent checks. That increases the chance an agent will invoke this external hosted service in situations where a user did not explicitly request third-party processing or where another safer/local tool would be more appropriate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly promotes a hosted runtime, durable hosted URLs, recoverable jobs, and keeping generated work in the service, but it does not clearly warn that prompts and generated content may be transmitted to and stored by an external provider. This creates a privacy and data-governance risk because agents may send sensitive prompts, images, audio, or derived media off-platform without meaningful user awareness or approval.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal