ClawHub

Cloudflare Image Generation

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill is review-worthy because it exposes a Cloudflare credential and lets image prompts flow into a shell command.

Do not install this version as-is. Use a corrected release that removes and rotates the embedded Cloudflare token, loads your own least-privilege credential from a secret store or environment variable, and replaces shell-based curl construction with a safe HTTP client or shell-free subprocess call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
-H "Content-Type: application/json" \
      -d '{json.dumps({"prompt": prompt})}' > /tmp/cf_response.json'''
    
    subprocess.run(cmd, shell=True)
    
    with open('/tmp/cf_response.json', 'r') as f:
        data = json.load(f)
Confidence
99% confidence
Finding
subprocess.run(cmd, shell=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill invokes code and shell execution paths but does not declare corresponding permissions, which undermines transparency and policy enforcement. In this case the undocumented capabilities are paired with credential use and local file writes, making the undeclared behavior more concerning than a harmless documentation omission.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is image generation, but the skill also embeds a bearer token, fixes a specific Cloudflare account identifier, and writes files locally without clearly declaring those behaviors. This mismatch hides sensitive operations from reviewers and users, increasing the risk of secret leakage, unauthorized API consumption, and unexpected host-side effects.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A live Cloudflare API token and account ID are embedded directly in the skill documentation, exposing reusable credentials to anyone who can read the file. An attacker could use the token to generate charges, access or abuse the Cloudflare account's AI services, or pivot into other account resources depending on token scope.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This skill’s functionality only requires sending an HTTP request, yet it invokes a shell to do so while embedding secrets and user input in the command string. That unnecessary shell use creates command-injection risk and exposes credentials/process details to the local environment, making the implementation materially more dangerous than required.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation exposes sensitive credentials and instructs their use without any warning, redaction, or secure handling guidance. This normalizes unsafe secret management and makes credential theft trivial for anyone with repository or skill access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The shell execution path directly incorporates the user-provided prompt into the command string without isolation or confirmation. In this context, confirmation is not the core issue—the real danger is that attacker-controlled input reaches a shell, enabling command injection and arbitrary local code execution.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal