ClawHub

Image generation and editing

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Bria.ai image-generation and editing skill, but users should understand it uploads selected prompts/images to Bria and stores reusable Bria credentials locally.

Install only if you trust this Bria.ai integration with your Bria account and with the prompts or images you submit. Protect or delete ~/.bria/credentials when no longer needed, and avoid using it for sensitive, regulated, or confidential images unless Bria's terms and retention practices fit your requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs the agent to execute shell commands (`curl`, file reads/writes, sourcing a shell helper), yet the manifest does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users or the platform may believe the skill is lower risk than it is, while it can still perform networked command execution and local credential handling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a Bria image client for specific documented image operations, but it exposes a generic `bria_call` wrapper that can invoke arbitrary Bria endpoints and transmit either local file contents or remote URLs. That mismatch materially expands capability beyond what a user or reviewer would reasonably expect, enabling unintended API actions and broader data exfiltration to the external service.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger guidance is extremely broad, effectively telling the system to use this skill for almost any image- or visual-related request. Over-broad routing increases the chance the skill is invoked unnecessarily, causing unintended credential use, external data transmission, or user content upload when a simpler local tool would suffice.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest description contains catch-all language such as using the skill whenever the user wants to generate, edit, modify, or transform any image. This broad phrasing can cause over-selection of the skill and unnecessary transfer of user images and prompts to a third party, increasing privacy and security exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises credential caching in `~/.bria/credentials` but does not warn users that sensitive API/access tokens will be stored locally. Persisting tokens without clear disclosure or protection expectations increases the chance of accidental exposure via local compromise, backups, shared accounts, or other tooling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The authentication flow explicitly writes access and refresh tokens to `~/.bria/credentials` without any privacy notice, permission hardening, or secure-store integration. Long-lived credentials on disk materially increase the blast radius of local compromise and make account takeover easier if the file is read by another process or user.

External Transmission

Medium
Category
Data Exfiltration
Content
Introspect the bearer token to check billing status and obtain the real API key for Bria API calls:

```bash
INTROSPECT=$(curl -s -X POST "https://engine.prod.bria-api.com/v2/auth/token/introspect" \
  -d "token=$BRIA_ACCESS_TOKEN")
BILLING_STATUS=$(printf '%s' "$INTROSPECT" | sed -n 's/.*"billing_status" *: *"\([^"]*\)".*/\1/p')
if [ "$BILLING_STATUS" = "blocked" ]; then
Confidence
78% confidence
Finding
curl -s -X POST "https://engine.prod.bria-api.com/v2/auth/token/introspect" \ -d

Credential Access

High
Category
Privilege Escalation
Content
## Setup — Authentication

Before making any API call, you need a valid Bria access token.

### Step 1: Check for existing credentials
Confidence
89% confidence
Finding
access token

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: bria-ai
description: AI image generation, editing, and background removal API via Bria.ai — authenticates via OAuth device flow and caches credentials in ~/.bria/credentials, then calls 20+ endpoints to remove backgrounds for transparent PNGs and cutouts, generate images from text prompts, and edit photos with natural language instructions. Also create product photography and lifestyle shots, replace or blur backgrounds, upscale resolution, restyle, and batch-generate visual assets. Use this skill whenever the user wants to remove a background, create transparent PNGs, generate, edit, modify, or transform any image — including hero images, banners, social media visuals, product photos, illustrations, icons, thumbnails, ad creatives, or marketing materials. Also triggers on cutout, inpainting, outpainting, object removal or addition, photo restoration, style transfer, image enhancement, relight, reseason, sketch-to-photo, or any visual content creation. Commercially safe, royalty-free.
license: MIT
homepage: https://bria.ai
metadata:
Confidence
82% confidence
Finding
create product photography and lifestyle shots, replace or blur backgrounds, upscale resolution, restyle, and batch-generate visual assets. Use this skill whenever the user wants to remove a backgroun

Session Persistence

Medium
Category
Rogue Agent
Content
if [ -n "$ACCESS_TOKEN" ]; then
    BRIA_ACCESS_TOKEN="$ACCESS_TOKEN"
    REFRESH_TOKEN=$(printf '%s' "$TOKEN_RESPONSE" | sed -n 's/.*"refresh_token" *: *"\([^"]*\)".*/\1/p')
    mkdir -p ~/.bria
    printf 'access_token=%s\nrefresh_token=%s\n' "$BRIA_ACCESS_TOKEN" "$REFRESH_TOKEN" > "$HOME/.bria/credentials"
    echo "AUTHENTICATED"
    break
Confidence
93% confidence
Finding
mkdir -p ~/.bria

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal