ClawHub

remove background

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do Bria background removal, but its bundled helper can call broader Bria API actions and stores Bria tokens on disk in plaintext.

Install only if you are comfortable sending selected images to Bria and storing Bria account tokens locally. Review or constrain the helper if you need a true background-removal-only tool, and consider deleting or permission-locking ~/.bria/credentials after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill embeds and instructs execution of substantial shell code but does not declare any permissions for shell access. This creates a transparency and governance gap: reviewers and runtime policy engines may treat the skill as lower risk than it actually is, while the skill can still read files, persist credentials, and make network calls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is presented as a dedicated background-removal tool, but it sources a generic helper and notes arbitrary endpoint invocation capability, which can enable broader Bria API operations than users would expect. A capability mismatch is dangerous because users and orchestrators may route sensitive tasks here under the assumption that only a narrow transformation will occur.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The helper exposes generic image generation and editing endpoints even though the skill is specifically for background removal. This broadens the capability surface beyond the declared purpose, increasing the chance that the skill is used to perform unrelated remote actions and bypass skill-level scoping or policy expectations.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The sample usage explicitly demonstrates arbitrary generation and edit operations unrelated to background removal, which conflicts with the skill's stated purpose. In an agent setting, this can enable scope creep where a narrowly approved skill becomes a general image manipulation client, undermining user and platform expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs sending local files or image URLs to a third-party API without an explicit user-facing warning that content leaves the local environment. This is a privacy and data-handling risk, especially for sensitive images, internal assets, or regulated data that a user may assume is processed locally.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script automatically loads an API credential from disk and sends it in request headers without clearly informing the user at runtime that a locally stored secret will be used for an outbound service call. This weakens transparency and can surprise users or operators, especially in shared environments where implicit credential use may violate expectations or policy.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script uploads image data to a remote API but does not provide an explicit warning or confirmation that local or user-supplied images will leave the machine. For sensitive images, this can create privacy, compliance, or data-handling risks because users may assume processing is local when it is not.

External Transmission

Medium
Category
Data Exfiltration
Content
Introspect the bearer token to check billing status and obtain the real API key for Bria API calls:

```bash
INTROSPECT=$(curl -s -X POST "https://engine.prod.bria-api.com/v2/auth/token/introspect" \
  -d "token=$BRIA_ACCESS_TOKEN")
BILLING_STATUS=$(printf '%s' "$INTROSPECT" | sed -n 's/.*"billing_status" *: *"\([^"]*\)".*/\1/p')
if [ "$BILLING_STATUS" = "blocked" ]; then
Confidence
84% confidence
Finding
curl -s -X POST "https://engine.prod.bria-api.com/v2/auth/token/introspect" \ -d

Credential Access

High
Category
Privilege Escalation
Content
## Setup — Authentication

Before making any API call, you need a valid Bria access token.

### Step 1: Check for existing credentials
Confidence
95% confidence
Finding
access token

Session Persistence

Medium
Category
Rogue Agent
Content
if [ -n "$ACCESS_TOKEN" ]; then
    BRIA_ACCESS_TOKEN="$ACCESS_TOKEN"
    REFRESH_TOKEN=$(printf '%s' "$TOKEN_RESPONSE" | sed -n 's/.*"refresh_token" *: *"\([^"]*\)".*/\1/p')
    mkdir -p ~/.bria
    printf 'access_token=%s\nrefresh_token=%s\n' "$BRIA_ACCESS_TOKEN" "$REFRESH_TOKEN" > "$HOME/.bria/credentials"
    echo "AUTHENTICATED"
    break
Confidence
97% confidence
Finding
mkdir -p ~/.bria

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal