ClawHub
Back to skill

Security audit

AI Wedding Studio

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent wedding-photo prompt and image-generation helper, but users should treat reference photos and ethnicity defaults carefully.

Install only if you are comfortable using it for wedding/couple imagery. Upload reference photos only when you have permission from the people shown, and review generated prompts before use because some included templates default to Chinese ethnicity/facial descriptors that may need to be removed or changed for other couples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
79% confidence
Finding
The description uses broad activation language like general image-prompt and idea-cohesion requests, which can cause the skill to trigger for common conversations beyond narrowly intended wedding-photo use. Over-broad routing increases the chance that users share personal photos or relationship details with this skill unintentionally, expanding privacy exposure and misuse surface.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly directs analysis of user reference photos and identity-preserving image generation, which involves highly privacy-sensitive biometric and relationship data. Without an explicit warning, consent check, retention/handling notice, and limitation on third-party images, users may provide sensitive photos without understanding the privacy implications or the risk of deceptive identity-based image creation.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The package hard-codes the subjects as '中国年轻情侣' and later includes identity rules about preserving uploaded faces, which makes ethnicity a fixed eligibility/output constraint rather than a user-selected cultural styling option. In an image-generation skill, this can lead to discriminatory gating or forced ethnic transformation requests, especially when users want Chinese wedding styling without being required to have 'Chinese' faces.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The base prompt explicitly requires '真实自然的中国面孔' as a default output condition, turning ethnicity/facial phenotype into a mandatory generation rule instead of an opt-in preference. That increases the risk of biased or exclusionary outputs and can pressure the model to alter identity traits of uploaded people to fit an ethnic template.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The package hard-codes the subjects as '中国年轻情侣' and reinforces that identity in the base prompt, which removes user choice and can cause the system to overwrite or misrepresent the user's actual identity. In an image-generation skill centered on personalized wedding photos, this is more concerning because it directly affects protected or sensitive identity traits and can lead to exclusionary or inaccurate outputs.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The package hard-codes the subjects as a '中国年轻情侣' in the profile, which can cause identity attributes to be imposed on users without their explicit request. In an image-generation workflow, this creates fairness and misrepresentation risk because uploaded people may be transformed toward a predefined ethnicity/national identity rather than preserving user intent.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The base prompt explicitly injects '中国年轻情侣' and '真实自然的中国面孔' into the generation instructions, so every use of this template steers outputs toward a specific identity regardless of user preference. This is more dangerous in this skill because the package is intended to preserve uploaded persons' real facial traits and consistency, making identity override especially likely to produce biased or inaccurate depictions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.