ClawHub

Dataify Google Images

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Google Images-to-Dataify API helper with some consent-usability issues, but no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable sending Google Images search terms, and any location parameters you provide, to Dataify using your Dataify API token. Review the confirmation table carefully before approving a call; if you do not read Chinese, the publisher should localize those table headers for clearer consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase is broad enough that ordinary user mentions of Google Images or images could activate the skill without clear intent to invoke an external API workflow. That can cause unintended tool use, data transmission to a third-party service, or confusing takeovers from a more appropriate skill.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
Requiring fixed Chinese table headers for user-facing output overrides the user's language preference and can impair informed consent during the pre-call confirmation step. When confirmation details are shown in an unexpected language, users may approve parameters they do not fully understand before an external API call.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
This repeated hard requirement for Chinese-only headers reinforces a language lock that can reduce usability and clarity in a consent-sensitive workflow. Because the table is the final review before sending form data to an external API, lack of language choice increases the risk of accidental approval or misunderstanding.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The script transmits user-supplied queries and potentially sensitive geolocation parameters such as location, uule, lat, lon, and radius to a third-party API. In an agent/skill setting, this can cause unintended exfiltration of personal or sensitive search context if users are not clearly informed that their inputs are being sent off-platform.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal