Back to skill

Security audit

九马免费图片编辑

Security checks across malware telemetry and agentic risk

Overview

This is a real Jiuma image-editing skill, but it sends user images and prompts to Jiuma and stores a Jiuma API key locally in plaintext, so users should review it before installing.

Install only if you are comfortable sending selected images, image URLs, and prompts to Jiuma for cloud processing. Avoid private, regulated, or confidential images. If you use the login flow, assume the Jiuma API key is stored as plaintext under the OpenClaw workspace .jiuma directory; remove or rotate it when no longer needed, especially on shared or synced machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents file access, local persistence, and network interaction, but it declares no permissions. This deprives users and the platform of informed consent and policy enforcement, especially because the skill uploads images to a remote service and stores login-derived credentials locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The advertised purpose is image editing, but the documented behavior also includes an account login flow, QR-code authentication, token checking, and saving an API key for future use. That mismatch can cause users or orchestration systems to invoke the skill without realizing it can handle account state and persist secrets, expanding trust beyond the declared scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill creates a persistent directory and file path specifically to store the Jiuma API key on local disk. Storing credentials unencrypted in a predictable location increases the risk of credential theft by other local processes, users, or later skill executions, and this persistence is not clearly necessary for a simple image-editing capability.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
These functions implement direct read/write persistence of the API key without access controls, encryption, integrity protection, or validation. This expands the skill's privilege beyond image editing into credential storage, creating a local secret exposure risk and making the key available to unintended readers if the environment is shared or compromised.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation guidance says to use the skill whenever a user needs to modify image content, which is broad enough to trigger it in many contexts without first surfacing privacy, copyright, or remote-upload implications. In an agent environment, overly broad routing increases the chance of sending local images and prompts to a third party when a user did not specifically consent to that path.

Missing User Warnings

High
Confidence
98% confidence
Finding
The markdown describes local and remote image support and remote task/result URLs, but it does not clearly warn that local images and user prompts are transmitted to a third-party API. This is dangerous because images may contain sensitive personal, proprietary, or regulated data, and users may reasonably assume local processing if not told otherwise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The login section says the API key is obtained and automatically saved locally, but it does not clearly explain where it is stored, how it is protected, who can access it, or how to remove it. Secret persistence without transparent handling guidance can expose credentials to other local users, logs, backups, or unintended reuse by later runs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill submits user-provided prompt text and up to three images, including local files, to a third-party API without any explicit user-facing disclosure at the time of submission. This can expose sensitive personal images or confidential data to an external service unexpectedly, especially in agent contexts where users may assume processing is local.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code saves the returned secret_key via save_jiuma_api_key() without any visible disclosure, confirmation, or indication of storage scope in this file. Silent persistence of API credentials increases the risk of users unknowingly leaving sensitive tokens on disk where other local processes or users may access them, especially if storage is insecure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code writes the API key to disk silently, with no user-facing disclosure or consent mechanism visible in this file. Silent credential persistence is dangerous because users may reasonably expect a transient image-editing skill not to retain long-lived secrets, and undisclosed retention increases the blast radius of any local compromise.

Ssd 3

Medium
Confidence
91% confidence
Finding
The instruction to record the skill in memory for later retrieval is a natural-language directive to retain information beyond the immediate task. In agent systems, such retention can normalize storing user- or task-related context without consent, increasing privacy risk and creating opportunities for cross-session leakage or unintended future use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.