Back to skill

Security audit

Black Forest Labs FLUX

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it uses a Black Forest Labs API key to send an image prompt to BFL and save the generated image locally.

Install only if you are comfortable sending prompts and image parameters to Black Forest Labs using your BFL API key. Keep /root/.clawdbot/.env trusted because the script sources it, avoid putting secrets or sensitive personal data in prompts, and choose output paths intentionally because generated files are written locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to execute a bundled shell script, but the skill declares no permissions despite clearly requiring shell/code execution capability. This creates a trust and governance gap: the agent may run external commands and access local files or environment secrets without an explicit permission boundary, making misuse, prompt injection, or unintended command execution harder to audit and constrain.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.