ClawHub
Back to skill

Security audit

Random Image Placeholder

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only helper for making Picsum placeholder image URLs, with optional user-requested downloads and no hidden authority.

Use this skill when you want placeholder images from picsum.photos. Prefer URL-only output unless you actually need files saved, and when downloading, choose a project-local or temporary output path and treat downloaded network files as untrusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger section is broad enough to match many generic image-related requests, which can cause the skill to be invoked outside its narrow Picsum placeholder purpose. In an agent system, over-broad routing can lead to inappropriate tool selection, unnecessary network use, or user confusion, even though this skill's actions are relatively limited and the content is not overtly malicious.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest description contains expansive invocation cues like random image and temporary image URLs for mockups, docs, tests, or demos, which overlap with common user requests beyond this specific service. That increases the chance of accidental over-selection of this skill, potentially causing the agent to route ordinary image requests to an external placeholder service when a different skill or no skill would be more appropriate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.