ClawHub

Aigc.Bak

Security checks across malware telemetry and agentic risk

Overview

The skill can generate images, but it automatically uploads and forwards results using bundled or environment credentials in ways users should review before installing.

Review before installing. Remove and rotate the bundled OSS token, require each user to provide a scoped credential, verify or package the Feishu sender component, and make OSS upload plus Feishu forwarding explicit opt-in actions before using this with private prompts or images.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = ['python3', FEISHU_SENDER_SCRIPT, '--file', temp_file.name, '--receive-id', chat_id]
        print(f"📤 执行命令: {' '.join(cmd)}")
        
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
        print(f"📤 返回: {result.stdout}")
        if result.stderr:
            print(f"📤 错误: {result.stderr}", file=sys.stderr)
Confidence
84% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)

Tainted flow: 'files' from requests.get (line 260, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
files = {'file': (filename, img_response.content, 'image/png')}
            headers = {'Authorization': f'Bearer {OSS_TOKEN}'}
            
            upload_response = requests.post(
                OSS_UPLOAD_URL,
                files=files,
                headers=headers,
Confidence
91% confidence
Finding
upload_response = requests.post( OSS_UPLOAD_URL, files=files, headers=headers, timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents capabilities to perform network requests, shell commands, local file writes, and likely environment/config access, but declares no permissions. This creates a transparency and governance gap: operators and users cannot accurately assess what the skill can do, and hidden capabilities can be abused or accidentally invoked without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose is image generation, but the documented behavior extends to downloading files locally and automatically sending them through Feishu, with implied reliance on local configuration or tokens. This mismatch is dangerous because it hides secondary data flows and external sharing behaviors that users may not expect, increasing the risk of unauthorized disclosure of prompts or generated content.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The workflow goes beyond assisting with image generation by automatically downloading the output and sending it to Feishu. In context, this makes the skill more dangerous because a user asking only for generation may unknowingly trigger local persistence and message delivery to another system, creating privacy and data-handling risks.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The skill specifies a fixed local filesystem storage path for generated images but does not disclose this in the primary description. Undisclosed persistence can expose sensitive prompts or outputs to other local users, backups, or unrelated processes, especially on shared workstations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic Feishu messaging is not inherently required to satisfy an image-generation request, so performing it by default expands the skill's data exposure beyond user expectations. In this context, generated images and associated prompts may be sent to chat recipients without explicit authorization, which can leak sensitive or proprietary content.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The declared purpose is image generation, but the code also uploads outputs to OSS and sends files to Feishu. This mismatch hides external data transmission behavior from users and reviewers, making the skill more dangerous because generated content is automatically shared outside the local generation context.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Invoking an external Feishu sender subprocess gives the skill an additional file-delivery capability not justified by the stated image-generation scope. In context, this is more dangerous because the skill runs with local agent privileges and can forward generated or fetched files into chat channels without clear user awareness.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code reads OSS tokens and chat identifiers from environment/config to support external delivery workflows beyond simple image generation. This is risky in context because the skill silently gains access to credentials and routing information that enable transmission of user-generated content to outside systems.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module docstring says the skill calls a local AIGC API and uploads to OSS, but the implementation also sends files to Feishu. This incomplete disclosure is security-relevant because it conceals another outbound channel that can distribute user content beyond what operators or users may expect.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation examples are broad, generic phrases such as '生成一张图片' and '帮我生成', which can easily overlap with normal user conversation and trigger the skill unintentionally. In an agent environment, overbroad auto-invocation can cause unintended API calls, unexpected content generation, and routing of user requests to the wrong tool.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad everyday expressions such as '帮我生成' and '画一张', which can cause the skill to activate in ambiguous contexts. Because activation leads to network calls, local file storage, and downstream message sending, unintended triggering materially increases the chance of accidental execution and data handling without clear intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Users are not warned that their generated images will be downloaded locally and automatically sent to Feishu. This missing warning is risky because users may include sensitive prompts or expect a conversational result only, not persistent local storage and transmission to an external messaging channel.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Generated images are automatically uploaded to external OSS storage without explicit notice or confirmation at execution time. In this skill context, that is dangerous because users may expect local generation only, while their prompts and resulting images are being transferred to third-party storage automatically.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill automatically sends generated images to Feishu via a local subprocess without explicit user warning or approval. This is especially dangerous because it combines hidden external sharing with an additional execution boundary, increasing both privacy risk and operational complexity.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal