ClawHub

Image Social Media

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for a third-party image-generation CLI, with expected network use, media uploads, and API-key storage for that purpose.

Before installing, review the dLazy CLI source/package and be comfortable sending prompts and any supplied media to dLazy's cloud services. Use an environment variable instead of saved config if you do not want a persistent API key, avoid uploading sensitive media, and note that @latest may change over time.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill materially understates its behavior by claiming it will not access the network or file system, while later directing the agent to run a CLI that sends prompts to remote APIs and uploads local media. This can mislead users and downstream agents about data exfiltration risk, especially when local file paths or sensitive media are provided under the assumption that no such access occurs.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill text minimizes risk by claiming it 'will not access network or files,' but elsewhere explicitly instructs the agent to use a CLI that sends prompts to remote APIs and uploads local media to cloud storage. This mismatch can mislead users or higher-level agents into granting trust or permissions they would not otherwise allow, increasing the chance of unintended data exfiltration or unsafe command execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal