ClawHub

Fal Text-to-Image

Security checks across malware telemetry and agentic risk

Overview

This is a coherent fal.ai image-generation skill, with expected remote API use and metadata behavior that users should understand before sharing inputs or outputs.

Install only if you are comfortable using fal.ai for remote image processing. Avoid confidential prompts, sensitive personal images, secrets, and internal-only image URLs unless that use is approved, monitor fal.ai costs with your API key, and strip EXIF metadata before publishing or sharing generated images.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes image remix/edit features that accept local files or URLs, but it does not clearly warn users that prompts and source images are transmitted to fal.ai for remote processing. This can cause users to unknowingly upload sensitive images, proprietary content, or personal data to a third-party service, creating privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README advertises embedded metadata in output images but does not warn that prompts and generation parameters are stored in EXIF metadata. Users may share generated images believing them to be sanitized, while the files still contain potentially sensitive prompts, workflow details, or internal model settings that can be extracted by others.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to supply prompts, reference images, and source images to a third-party API but does not clearly disclose that this content will be transmitted to fal.ai for remote processing. In an image-generation/editing skill, users may provide sensitive photos, proprietary artwork, or confidential prompts, so lack of disclosure creates a real privacy and data-handling risk rather than a purely documentation issue.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that generated images are saved with EXIF metadata containing the prompt, model, and parameters, but it does not warn that this metadata may persist when images are shared, published, or reused. That can leak sensitive creative inputs, internal project details, or personal information embedded in prompts, especially in professional or enterprise workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal