ClawHub

AI图片生成

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward SiliconFlow image-generation skill that sends prompts to the documented API using the user's API key.

Install only if you are comfortable sending image prompts to SiliconFlow and letting the skill use your SiliconFlow API key, which may consume paid quota. Avoid secrets, regulated data, or proprietary text in prompts, and make sure jq is installed before using the helper script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits the full user-supplied prompt to a third-party image-generation service without any explicit consent, warning, or data-sensitivity check. In an agent context, users may enter secrets, personal data, or proprietary text into prompts, causing unintended external disclosure to the API provider.

External Transmission

Medium
Category
Data Exfiltration
Content
## Generate Image

```bash
curl -X POST "https://api.siliconflow.cn/v1/images/generations" \
  -H "Authorization: Bearer $SILICONFLOW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
89% confidence
Finding
curl -X POST "https://api.siliconflow.cn/v1/images/generations" \ -H "Authorization: Bearer $SILICONFLOW_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Generate Image

```bash
curl -X POST "https://api.siliconflow.cn/v1/images/generations" \
  -H "Authorization: Bearer $SILICONFLOW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
89% confidence
Finding
https://api.siliconflow.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
- `black-forest-labs/FLUX.1-dev` - FLUX dev version
- `Qwen/Qwen-Image` - Qwen image generation

> 注意:模型ID可能更新,可通过 `curl -s "https://api.siliconflow.cn/v1/models" -H "Authorization: Bearer $SILICONFLOW_API_KEY" | jq '.data[].id'` 查询最新列表

## Parameters
Confidence
87% confidence
Finding
https://api.siliconflow.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
echo "Generating image with $MODEL..."
echo "Prompt: $PROMPT"

RESPONSE=$(curl -s -X POST "https://api.siliconflow.cn/v1/images/generations" \
    -H "Authorization: Bearer $API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
Confidence
93% confidence
Finding
curl -s -X POST "https://api.siliconflow.cn/v1/images/generations" \ -H "Authorization: Bearer $API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
echo "Generating image with $MODEL..."
echo "Prompt: $PROMPT"

RESPONSE=$(curl -s -X POST "https://api.siliconflow.cn/v1/images/generations" \
    -H "Authorization: Bearer $API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
Confidence
93% confidence
Finding
https://api.siliconflow.cn/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal