ClawHub

Qwen Image Plus Sophnet

Security checks across malware telemetry and agentic risk

Overview

This skill appears to only call Sophnet to generate images, but prompts and returned image links should be treated as data shared with that service.

Install this only if you intend to use Sophnet for image generation. Use a scoped Sophnet API key, prefer the SOPHNET_API_KEY environment variable instead of passing keys on the command line, avoid sensitive or regulated prompt content, and do not broadly share generated URLs that contain signature or access query parameters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends user prompts and API usage data to an external Sophnet service but does not warn the user about that data transfer. This can expose sensitive prompts, metadata, and potentially regulated information to a third party without informed consent, which is especially risky because image prompts often contain proprietary or personal content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example output includes a signed, time-limited image URL containing access parameters, but the documentation tells users to return or share the IMAGE_URL without warning about credential-bearing query strings. Sharing these URLs can unintentionally grant temporary access to generated content or leak provider-specific access tokens in logs, chats, analytics, or downstream systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal