ClawHub

爱创AI-电商专用AI创作智能体工具_AI图片生成_AI视频生成_AI电商详情图生成

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but it uses account tokens and can upload, manage, and delete third-party assets without enough scoping or confirmation safeguards.

Install only if you intend to use the 51aic/Aicraft service and are comfortable pasting a service token into the chat. Before uploads, confirm the images are appropriate to send to that platform. Before any deletion, require the agent to list exact asset IDs and get your explicit approval. Use watermark removal only on images you own or are authorized to modify.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Vague Triggers

High
Confidence
98% confidence
Finding
The skill’s trigger scope is excessively broad and includes generic image/video editing and generation requests, plus a mandatory-use directive. This can cause the agent to route many unrelated user requests to a third-party service by default, increasing the chance of unnecessary data sharing, token collection, and external transmission of user content without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Triggering on bare vendor mentions such as “爱创”, “51aic”, or “aicraft” lacks contextual constraints and may activate the skill even when the user is only asking a question about the service, comparing tools, or discussing it abstractly. That broad matching increases the risk of inappropriate tool invocation and unnecessary exposure of user data to the platform.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The asset management flow allows deletion via `Asset/BatchDelete` but does not require an explicit confirmation or present a warning immediately before the destructive action. In an agentic environment, this raises the risk of accidental or ambiguous deletion of user assets, especially when the agent is operating on inferred intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The eval manifest defines expected behavior for several sensitive operations, but it does not clearly constrain when the skill should be invoked or what boundaries apply to those actions. In this context, the skill is broadly described as mandatory for many image/video/e-commerce requests, which increases the chance of over-triggering the skill and causing unintended API use, data transfer, or side effects on user assets.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The eval explicitly expects deletion of assets after identifying failed style-replication works, but it does not require a confirmation step, preview of items to be deleted, or rollback safeguards. That creates a real risk of accidental or overly broad destructive actions against user content, especially if search filters are wrong, ambiguous, or manipulated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly documents a watermark-removal mode as a supported capability without any restriction, authorization check, or warning about copyright, ownership, or lawful use. In an e-commerce image editing skill, this can facilitate removal of creator marks or platform overlays from third-party assets, enabling IP infringement and deceptive reuse of protected content.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to save and automatically reuse the user’s token in conversation context. Retaining credentials in conversational state increases the chance of accidental disclosure, misuse in later turns, or inappropriate reuse across actions the user did not freshly authorize.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill directs the agent to obtain a secondary payment authorization token and cache it for reuse. Caching an additional bearer credential expands the attack surface: if leaked or reused improperly, it could expose billing or balance information and enable unintended authenticated operations against the payment API.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal