ClawHub

Image Gen Cheap

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses LaoZhang's external API to generate or edit images, with normal privacy and token-handling cautions.

Install only if you are comfortable sending image prompts and source image URLs to LaoZhang's external service. Do not use it with private images, confidential business material, secrets, regulated data, or private/internal URLs unless that sharing is approved. Treat ~/.laozhang_api_token like a password and keep generated outputs out of shared folders or repositories when they contain sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation instructs users to read and write a local token file and to send prompts/images to a remote API, but it does not declare corresponding permissions. Undeclared file and network capabilities reduce transparency and can cause the agent to perform sensitive actions users did not explicitly authorize.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to send prompts and source image URLs to a third-party API but does not disclose that user content will leave the local environment or mention any privacy, retention, or data-handling implications. In an agent skill context, this can cause users to unknowingly transmit sensitive prompts, internal images, or private links to an external service.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases include very broad everyday terms such as '生成图片', '画图', and '图片编辑', which can cause accidental invocation in ordinary conversation. Unintended activation could send user prompts or images to the external provider without sufficiently deliberate user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes uploading prompts and image URLs to a remote service and saving outputs locally, but it does not prominently warn users about third-party data transfer, retention, or local persistence. In an image-editing context, this can expose sensitive images, private prompts, or API credentials to external systems and local disk without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends user-supplied image URLs and edit prompts to a third-party API without any explicit consent flow, privacy warning, or data-classification check. In this skill context, users may provide private image URLs or sensitive prompts, so silent transmission to an external service creates a real confidentiality risk even if it is expected functionality.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends the user-provided prompt verbatim to a third-party API, but it does not clearly warn the user that prompt contents leave the local environment. This is dangerous because users may include sensitive or proprietary text in prompts without realizing it will be transmitted to an external service.

External Transmission

Medium
Category
Data Exfiltration
Content
### 1. 获取 API Token

访问 [https://api.laozhang.ai/register/?aff_code=lfa0](https://api.laozhang.ai/register/?aff_code=lfa0) 注册,在控制台获取 token。新注册自动获得 $0.5 开发测试额度。

保存 token:
```bash
Confidence
88% confidence
Finding
https://api.laozhang.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### 1. 获取 API Token

访问 [https://api.laozhang.ai/register/?aff_code=lfa0](https://api.laozhang.ai/register/?aff_code=lfa0) 注册,在控制台获取 token。新注册自动获得 $0.5 开发测试额度。

保存 token:
```bash
Confidence
88% confidence
Finding
https://api.laozhang.ai/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal