ClawHub

Other Openclaw Skills

Security checks across malware telemetry and agentic risk

Overview

This Meitu image skill pack mostly matches its stated purpose, but it asks users to share API secrets in chat and has under-disclosed privacy/persistence behavior around personal photos, memory, and profile data.

Install only if you are comfortable with Meitu API processing, local credential use, and cross-task personalization. Do not paste AK/SK into chat; configure credentials locally through environment variables or a protected credentials file. Review and limit any stored visual memory, profile facts, and reference photos before using this on sensitive personal, biometric, business, or client images.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (71)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill tells users credentials 'will not be uploaded to any server,' but the entire purpose of the Meitu CLI/OpenAPI flow is to authenticate to remote services using those credentials. This is a misleading security assurance that may cause users to share secrets under false assumptions about where and how they are used.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill explicitly instructs users to send raw AK/SK secrets in chat and claims the agent will automatically save them locally, but the declared permissions only cover reading credential files and executing the CLI. This creates a mismatch between documented behavior and authorized capabilities, encouraging unsafe secret disclosure and potentially prompting an agent to handle credentials outside an auditable, least-privilege flow.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
A CLI execution hub does not need users to disclose raw API credentials directly to the conversational agent, yet the documentation recommends exactly that. This expands secret exposure unnecessarily and increases the chance that credentials are retained in chat logs, telemetry, or mishandled by downstream tooling.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This code automatically loads Meitu API credentials from files in the user's home directory and injects them into the execution environment, even though this module is framed as input normalization/validation. That broadens the skill's capability from request parsing into implicit secret acquisition, which can enable downstream commands to use privileged credentials without explicit user awareness or per-action consent.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file implements autonomous runtime update behavior, including version checks and installation logic, which materially exceeds a routing skill's declared role. Because it can fetch and install code at runtime via npm, it expands the trust boundary to the network and package registry, creating a supply-chain and unexpected code execution risk.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code performs network-backed npm queries and global package management despite the skill being described as a router/tool entrypoint, not an updater. Querying `npm view` and then executing `npm install -g` on a configurable package/channel introduces remote dependency trust and the ability to replace runtime components outside normal deployment controls.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Persisting updater state under the user's home directory is not inherently dangerous by itself, but in this context it creates undeclared persistence for update behavior and records package/version state outside the skill's stated routing purpose. That persistence can make the autonomous updater harder to notice, audit, and control across runs.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill persists user preferences into project/global memory even though the task is narrowly scoped to generating ID photos. Because this workflow handles sensitive biometric images and related appearance preferences, retaining cross-session style data creates unnecessary privacy risk and potential secondary use beyond the user's immediate request.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as an image-repair pipeline, but it also defines logic to read, write, promote, and persist user preferences across projects. That expands data handling beyond the stated purpose and creates unnecessary privacy and scope-creep risk, especially because preference recording is triggered from ordinary workflow feedback rather than a clearly separated consented feature.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented use of cross-project preference memory is not necessary to perform image fixing, yet it can store and promote user styling preferences into broader scopes. This violates least privilege and purpose limitation: a tool for repairing one image should not silently evolve into a persistent profiling mechanism.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The document explicitly authorizes reading and writing persistent data under a shared cross-agent workspace, including global memory, scene memory, observations, rules, and project files. In a skill whose purpose is image/poster generation, this creates unnecessary data exposure and cross-session persistence risk, because user feedback and project context can be read or modified beyond what is strictly needed to fulfill a single request.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The protocol instructs the agent to execute a local Node.js scaffold script to create projects. Allowing a skill to spawn subprocesses based on environment-derived paths expands capability from content generation to code execution, which is risky if the path or script is tampered with or if such execution is unnecessary for the task.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims local profile and memory data never leaves the device, but later instructs the agent to embed personalized context from those files into prompts sent to the Meitu API. That creates a direct contradiction that can mislead users into consenting to processing under false assumptions and can expose sensitive personal details to a third-party service.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs users to paste API credentials into chat for automatic configuration, but chat is not an appropriate secret-entry channel unless there are strong controls and warnings. This creates a direct risk of credential exposure through logs, transcripts, model context, or downstream handling.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill asks users to transmit AK/SK directly to the agent without an explicit warning that chat is an unsafe channel for secrets. That pattern normalizes credential sharing over conversational interfaces and can lead to credential compromise if logs, transcripts, or integrations are accessible.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The alias "generate" is extremely generic and can collide with many ordinary user requests, increasing the chance that the wrong tool is invoked. In a routing skill that dispatches direct CLI-style commands, this ambiguity can cause unintended image-generation actions, parameter binding mistakes, or bypass of more specific scene skills.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The alias "poster" is ambiguous and may match common conversational requests unrelated to this exact command schema. Because this file defines routing metadata for direct capability invocation, an overly broad alias can misroute user intent into a poster-generation action with unintended external processing of prompts and images.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The alias "edit" is a highly common verb and is likely to overlap with many unrelated user requests, making accidental invocation especially likely. In this skill context, that can cause arbitrary user-supplied images and prompts to be sent into the image-edit pipeline when the user intended a different operation or a non-tool conversational action.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The module reads credential files and populates secret-bearing environment variables with no warning, prompt, or audit signal in this code path. While not an exploit by itself, the lack of transparency increases the risk of users unknowingly authorizing network actions with sensitive credentials and makes abuse harder to detect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code can automatically perform `npm install -g` without any user-facing warning or confirmation, allowing runtime modification of globally installed software. This is dangerous because it can unexpectedly change execution behavior, require elevated privileges, and expose the environment to malicious or compromised package releases.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The npm version check initiates undisclosed network activity during runtime. While lower severity than installation, undisclosed outbound requests still expand the attack surface, leak usage metadata, and normalize hidden behavior inconsistent with a simple routing skill.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger description includes broad phrases like “让照片更好看”, “beautify”, and “beauty enhance”, which can match ordinary conversation and cause the skill to activate unexpectedly. In a routing skill, overbroad activation increases the chance of processing unintended user images or launching tool flows without sufficiently explicit user intent, which is especially sensitive because the skill performs image manipulation and may invoke external CLI operations.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill instructs users to set AK/SK credentials and references environment variables, but provides no warning against exposing secrets in chat, logs, screenshots, or command history. Because this is an operational skill that depends on CLI auth, users may paste secrets directly into interactive contexts or store them insecurely, leading to credential leakage and unauthorized API use.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description includes broad generic terms such as 套组、组图、产品套图、知识卡片套图, which can match ordinary user requests and cause this skill to activate when the user did not explicitly ask for carousel generation. In an agent system, over-broad routing can lead to unintended tool use, unnecessary external API calls, and mishandling of user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The protocol instructs the agent to read, create, and modify persistent memory files based on user feedback, but it does not require explicit notice or consent before those filesystem changes occur. This creates a privacy and transparency risk because user preferences may be stored durably without the user understanding that persistence is happening.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal