ClawHub

Vision

Security checks across malware telemetry and agentic risk

Overview

This image-recognition skill appears useful, but it needs Review because it can upload sensitive images to a third-party service and uses weak install and credential-storage controls.

Only install this after confirming you are comfortable with images, URLs, and prompts being sent to the configured third-party vision provider. Avoid using it on IDs, screenshots with secrets, medical or financial documents, or internal company materials unless you have explicit approval. Review the install source carefully and prefer a pinned trusted URL or checksum-verified package; protect or rotate the API key if the skill directory may be shared, backed up, or committed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README encourages users to send images to the skill for recognition but does not disclose that images may be transmitted to a third-party vision API, which can expose sensitive personal, corporate, or regulated data. In a vision skill, this omission is more dangerous because screenshots and photos commonly contain credentials, personal information, internal documents, or other confidential content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly sends image content to an external vision API, but the user-facing documentation does not clearly warn that local images or referenced URLs may be transmitted to a third-party service. This creates a privacy and data-governance risk, especially if users provide sensitive screenshots, IDs, internal documents, or regulated data assuming analysis is local.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger evals define very broad, natural-language image-help requests as mandatory activation cases, which increases the chance the skill will fire on ambiguous conversational prompts without strong evidence that image analysis is actually needed or that image inputs are present. In an agent setting, over-broad triggering can cause unintended routing, unnecessary exposure of image/file inputs, and accidental processing of sensitive visual content.

Missing User Warnings

High
Confidence
96% confidence
Finding
The eval explicitly expects the skill to process an身份证 image, which is highly sensitive personal data, but provides no guardrails, warning, minimization guidance, or consent checks. This creates a clear privacy and compliance risk because the skill may extract, expose, or retain identity information without any special handling for regulated personal data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer accepts a user-supplied URL and immediately downloads skill files into the local skill directory, then later marks the downloaded JavaScript as executable. There is no confirmation prompt, origin validation, integrity check, or pinned trusted source, so a malicious or mistyped URL could install attacker-controlled code that is likely to be run by the user afterward.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends user-supplied images and prompts to a third-party remote API, but it does not provide an explicit disclosure at execution time that local files and potentially sensitive image contents will leave the machine. In a vision skill, this data flow is expected, but the lack of a clear warning can cause inadvertent exfiltration of screenshots, documents, or other sensitive content when users assume processing is local.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The setup flow prompts for an API key and stores it in a plaintext local config file without warning the user about credential storage or file protection expectations. This can expose the key to other local users, backups, or accidental disclosure if the skill directory is shared or committed.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal