ClawHub

Doubao Image

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it is presented as a Zhipu web search/image skill, but its runnable script sends prompts and the configured key to a Doubao/Volces image-generation endpoint.

Do not install this version unless you specifically intend to use the Doubao/Volces image-generation call in the script. Before using any real key, the publisher should align the name, description, endpoint, required credential, script path, and activation guidance; testing should use a disposable, narrowly scoped key for the actual Volces endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The package metadata presents the skill as "doubao-image" while the description says it performs Zhipu web search, creating a clear identity and purpose mismatch. This can mislead reviewers, users, or automated tooling about what the package is supposed to do, which increases supply-chain and trust risks by making deceptive repackaging or capability concealment harder to detect.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata and manifest describe a web search capability, but the implementation actually sends user prompts to an image-generation API. This mismatch is dangerous because it can mislead users and higher-level agents about what data is being sent externally and what action is being performed, undermining consent, policy enforcement, and trust boundaries.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The inline comment identifies the file as an image generation script, directly contradicting the declared web-search purpose of the skill. While a comment alone is not code execution, this discrepancy reinforces that the skill is misrepresented and increases the likelihood of deceptive or unsafe deployment in contexts expecting only search behavior.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation guidance is broad enough to trigger on many ordinary requests for information, which can cause the skill to run more often than users or the orchestrator intend. In a skill that sends user queries to an external API, over-broad activation increases the chance of unnecessary data disclosure to a third party and unintended external network access.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill's 'When to Use' section contains broad, everyday-language triggers such as 'look up', 'find information about', and 'what's the latest news about'. These phrases are likely to over-match normal user requests and can cause unintended invocation of this skill, which in turn may send user queries to an external service without sufficiently clear user intent for web-image search.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits the full user prompt to a remote third-party API without any visible disclosure or consent mechanism. In a skill presented as web search, this is more dangerous because users may not expect their input to be sent to an unrelated image-generation provider, creating privacy and data-handling risks.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script depends on a sensitive API key for external access but the skill description does not clearly disclose that credentialed third-party service usage is required. This is primarily a transparency and operational security issue because operators may provision secrets without understanding the real external dependency and data flow.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
export DOUBAO_API_KEY="your_key"

curl -s -X POST "https://open.bigmodel.cn/api/paas/v4/chat/completions" \
  -H "Authorization: Bearer $DOUBAO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
curl -s -X POST "https://open.bigmodel.cn/api/paas/v4/chat/completions" \ -H "Authorization: Bearer $DOUBAO_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal