Clawhub Publish 146230

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill needs review because it uses local Google OAuth credentials through a helper script that is not included in the package.

Install only if you trust and can inspect the local generate.js script it will run. Use a dedicated, revocable Google Antigravity OAuth profile, and require explicit confirmation before broad image requests invoke this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The activation conditions are very broad ('User asks to generate an image' / 'create visual content'), so this skill may be invoked in many loosely related contexts without the user explicitly requesting this specific internal-tool workflow. Because the skill uses local OAuth credentials and an internal API, unintended invocation increases the chance of unnecessary access to sensitive tokens or accidental use of privileged internal resources.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal