ClawHub

ImageRouter

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill coherently teaches users how to call ImageRouter for image generation and editing, with normal privacy cautions for uploads and downloads.

Install only if you are comfortable sending prompts and any selected images or masks to ImageRouter under your API key. Avoid uploading private, regulated, or proprietary images unless you accept the provider's handling of that data, and review returned download URLs before saving files locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly demonstrates uploading local image files and prompts to a third-party remote API, but it does not warn users that local content may contain sensitive or private data. In this context, the omission is security-relevant because users may assume the examples are routine and fail to notice that personal images, masks, and prompts are being transmitted off-device.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The direct-download example writes a file to the local filesystem without any notice that it will create or overwrite local content. While the filename is fixed and not attacker-controlled here, silently encouraging file creation can still surprise users and contribute to unintended local state changes.

External Transmission

Medium
Category
Data Exfiltration
Content
### Image-to-Image (with input images):
```bash
curl 'https://api.imagerouter.io/v1/openai/images/edits' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  -F 'prompt=transform this into a watercolor painting' \
  -F 'model=test/test' \
Confidence
84% confidence
Finding
https://api.imagerouter.io/

External Transmission

Medium
Category
Data Exfiltration
Content
### Multiple images (up to 16):
```bash
curl 'https://api.imagerouter.io/v1/openai/images/edits' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  -F 'prompt=combine these images' \
  -F 'model=test/test' \
Confidence
83% confidence
Finding
https://api.imagerouter.io/

External Transmission

Medium
Category
Data Exfiltration
Content
### With mask (some models require mask for inpainting):
```bash
curl 'https://api.imagerouter.io/v1/openai/images/edits' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  -F 'prompt=fill the masked area with flowers' \
  -F 'model=test/test' \
Confidence
85% confidence
Finding
https://api.imagerouter.io/

External Transmission

Medium
Category
Data Exfiltration
Content
### Download image directly:
```bash
curl 'https://api.imagerouter.io/v1/openai/images/generations' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  --json '{"prompt":"abstract art","model":"test/test"}' \
  | jq -r '.data[0].url' \
Confidence
72% confidence
Finding
https://api.imagerouter.io/

Chaining Abuse

High
Category
Tool Misuse
Content
-H 'Authorization: Bearer YOUR_API_KEY' \
  --json '{"prompt":"abstract art","model":"test/test"}' \
  | jq -r '.data[0].url' \
  | xargs curl -o output.webp
```
Confidence
89% confidence
Finding
| xargs curl

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal