ClawHub

Autoglm Generate Image

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it generates images by sending a user prompt to AutoGLM using a locally fetched token, with no hidden persistence or unrelated behavior found.

Install this only if you trust the AutoGLM service and the local token provider on port 53699. Treat image prompts as data sent to an external service, and avoid including secrets, private customer data, or proprietary text unless that is acceptable for your use case.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation clearly describes network access to both a localhost token service and an external image-generation API, yet it declares no permissions or user-facing notice about those capabilities. This creates a transparency and consent problem: users and hosts may not realize the skill can retrieve credentials and send prompts off-device.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill automatically retrieves a bearer token from a local HTTP service without any explicit disclosure, confirmation, or trust boundary explanation. Accessing local credential sources silently is sensitive because localhost services often expose privileged secrets intended only for trusted components, and users may not expect a skill to read them.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown instructs the skill to send user-provided text to an external API together with authorization data, but it does not warn users that their prompts leave the local environment. In an image-generation skill, prompts may contain sensitive or proprietary data, so undisclosed network transmission creates privacy and data-handling risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal