ClawHub

Psd Automator

Security checks across malware telemetry and agentic risk

Overview

This PSD automation skill is not evidently malicious, but it needs review because it can broadly index local design files and modify or export PSD assets from chat-driven tasks with limited enforced scoping.

Install only if you are comfortable with local PSD automation. Use explicit narrow index roots, inspect or delete ~/.openclaw/psd-index.json as needed, run dry-run first, keep backups enabled, require human approval before real writes, and restrict which chat users or subagents can request edits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The schema allows a `place_image` edit operation even though the skill is described as a PSD text-replacement automator. This expands the skill's effective capability from text editing into arbitrary visual content insertion, which can enable unauthorized content manipulation, misleading image swaps, or abuse of local file paths when combined with image placement inputs.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill implements capabilities well beyond its declared PSD text-replacement purpose, including image placement, PNG export, slice selection, and ZIP bundling. Scope expansion is dangerous because users and higher-level policy may authorize a narrowly bounded edit tool, while this code can create derivative assets and modify document structure in ways not clearly disclosed.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The code accepts a reference image path and performs visual-similarity analysis over exported images, which introduces extra file access and content analysis unrelated to simple text replacement. In a local automation skill, this broadens data handling to potentially sensitive user images without a clearly necessary business purpose.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation text is broad enough that ordinary chat requests containing file/path hints and replacement text could unintentionally trigger local file-editing automation. In an agentic environment, overly permissive routing increases the chance of executing write-capable actions on the wrong request or without sufficiently explicit user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The run instructions encourage execution of a tool that modifies PSD/PSB files, but they do not prominently warn that normal mode performs local writes and may overwrite user data. Even with backup and dry-run support, insufficient disclosure can lead to accidental destructive actions when an operator assumes the task is preview-only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persistently inventories PSD/PSB files under broad default roots (Desktop and Documents) and stores associated metadata, including file paths, project names, layer names, and text contents sourced from sidecar data, into a long-lived JSON index in the user's home directory. Even though this is local-only code and not direct exfiltration, it creates a sensitive catalog of design assets and contents without explicit disclosure, consent, minimization, or retention controls, which increases privacy and data-exposure risk if the host, account, or other local tooling is compromised.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal