ClawHub

Cheapest Image Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward EvoLink image generator that sends prompts to the disclosed API and saves the returned image locally.

Install only if you are comfortable sending image prompts to EvoLink and using an EvoLink API key from your environment. Avoid putting secrets or sensitive personal/business information in prompts, and expect generated images to be saved locally and API credits to be consumed when trigger phrases are used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill is designed to immediately send user prompts to an external image-generation API and save the returned file locally, but it does not require an explicit user-facing confirmation that network transmission and disk writes will occur. In an agent setting, this can violate user expectations, leak sensitive prompt content to a third party, and create files on disk without clear consent or visibility.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation tells users to run a script but does not clearly disclose two security-relevant side effects: the prompt is transmitted to a third-party service and a remote file is downloaded and written to disk. In a skill context, this omission can mislead users about data exposure and local file creation, which is especially relevant if prompts may contain sensitive information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example instructs users to run a script that sends their prompt and bearer API key to a third-party service and saves returned content to local disk, but it does not clearly disclose those behaviors. In a skill context, this omission can mislead users about data handling and local side effects, increasing the risk of unintended disclosure of sensitive prompts or unsafe file writes.

External Transmission

Medium
Category
Data Exfiltration
Content
$Out = [System.IO.Path]::GetFullPath($Out)
}

$apiBase = "https://api.evolink.ai/v1"
$headers = @{
    "Authorization" = "Bearer $ApiKey"
    "User-Agent"    = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
Confidence
84% confidence
Finding
https://api.evolink.ai/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal