ClawHub

AIGC Generator

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill is mostly coherent, but it needs review because it automatically sends generated content through multiple external services and uses under-scoped execution instructions.

Review before installing. Use a dedicated AIGC API key, avoid confidential prompts or images, confirm the Feishu destination and AIGC_BASE_URL, and prefer a version that uses a package-relative script path, safe structured command arguments, and explicit opt-in for Feishu or file-service uploads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tainted flow: 'files' from requests.get (line 81, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
filename = os.path.basename(urlparse(image_url).path) or f"aigc_{int(time.time()*1000)}.png"
        files = {'file': (filename, img_resp.content, 'image/png')}
        headers = {'X-API-Key': CONFIG['api_key']}
        resp = requests.post(
            f"{CONFIG['base_url']}/ai/file/upload",
            files=files, headers=headers, timeout=30
        )
Confidence
91% confidence
Finding
resp = requests.post( f"{CONFIG['base_url']}/ai/file/upload", files=files, headers=headers, timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill uses environment variables and external network interactions but does not declare corresponding permissions, which weakens transparency and permission gating. In practice this can cause the agent to access secrets or make outbound requests without users and platform policy having clear visibility into those capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is image generation, but the workflow also stores files locally and uploads generated image content to Feishu, which is a materially broader data flow than users would expect from the description alone. This mismatch creates a hidden exfiltration/privacy risk because user prompts and generated content may be transmitted or persisted beyond the generation service without informed consent.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises image generation, but the implementation also uploads generated images to an OSS/file-upload endpoint. That undisclosed secondary capability increases data-exposure risk and changes the trust boundary, especially in an agent environment where users may not expect their content or generated outputs to be sent to additional services.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The auto-trigger conditions are broad enough to match common creative-assistance requests, so the skill may activate in conversations where the user did not intend image generation or external processing. Because activation leads to external requests and file uploads, overly permissive triggering increases the chance of unintended data disclosure and surprise actions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The example triggers include generic phrases like '帮我生成' and '创作图片', which are ambiguous and can overlap with ordinary requests for drafting or brainstorming. In this skill, ambiguous activation is more dangerous because execution can spawn an isolated session, call external services, and upload resulting files automatically.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill documentation does not tell users that generated images will be uploaded to Feishu, even though the workflow explicitly performs that action for each output file. Undisclosed transfer of generated content to a third-party collaboration platform is a significant privacy and compliance risk, especially if prompts or images contain sensitive business or personal information.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal