ClawHub

格语

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation skill for making grid-style illustrated stories, with user-provided character images used for the stated purpose.

Install is reasonable if you want an image-generation workflow for grid comics. Before using it, treat any uploaded character image as potentially sensitive, avoid third-party or private photos without consent, and review the exported full prompt before copying or publishing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes very broad, generic phrases such as common comic/story terms, which can cause the skill to activate in contexts where the user did not clearly intend to invoke it. This is mainly a safety and routing issue rather than a direct exploit, but unintended activation can lead to unnecessary collection of user inputs or images under the skill workflow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly asks users for a character image and records/reuses image URLs throughout the workflow, but it does not provide any privacy notice, retention limits, or warning about how those URLs and linked images will be handled. Because images can contain personal likenesses or sensitive metadata, this creates a real privacy risk if users provide personal photos without understanding reuse and exposure implications.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill instructs the system to output the complete reusable prompt, and that prompt may embed user-provided visual descriptors, image-linked references, or other personal content gathered earlier in the session. Exposing the full prompt without warning or sanitization increases the chance of accidental disclosure when users copy, share, or publish the generated document.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal