ClawHub

Playwright Dev

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as an image generator, but the package also contains broad personal automation files, credentials, messaging, memory, scheduled-task, and gateway configuration that do not fit that purpose.

Treat this as a Review item before installing. The core image script looks purpose-aligned, but the package should be reduced to only SKILL.md and the image-generation script, with unrelated workspace files removed and exposed API keys or messaging tokens rotated. Do not install it into a normal agent environment unless you are comfortable with the extra instructions and configuration being present.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (832)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd.extend(['-b', background])
    
    try:
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
99% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, check=True, shell=True, cwd=os.path.dirname(os.path.abspat

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation instructs use of a Python script that reads environment variables, accesses local files, invokes shell tooling, writes output files, and sends data to an external API, yet no permissions are declared. This creates a transparency and consent problem: users and host systems cannot accurately evaluate the skill's operational scope before use.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file is not a narrowly scoped image-generation skill config; it is a full agent/platform configuration containing model routing, channels, gateway exposure, authentication, and plugin settings. That mismatch materially increases attack surface and privileges beyond the declared Nano Banana Pro purpose, enabling unrelated capabilities if this skill is installed or trusted as image-only.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The configuration enables messaging and text-to-speech features unrelated to image generation, including always-on TTS and a Feishu channel integration. Unnecessary communications features create extra data exposure paths and can allow the skill to send or surface content outside the expected image-editing boundary.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The file exposes a gateway configuration with authentication token, command settings, and node command policy even though the declared skill is only for image creation/editing. Embedding an execution/control surface in a single-purpose skill broadens the blast radius and could allow unauthorized local control or misuse of adjacent agent capabilities.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The configuration grants broad access to multiple LLM providers and APIs unrelated to a single Nano Banana Pro image skill. This expands outbound connectivity, increases the number of secrets at risk, and makes it easier for prompts or data to be routed to unintended external services.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file documents a broad personal automation platform that far exceeds the declared purpose of an image-generation/editing skill. This scope mismatch is dangerous because it can normalize hidden or overprivileged capabilities such as reading conversations, syncing files, sending messages, and running scheduled jobs under the cover of an unrelated benign manifest.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Reading and exporting Doubao conversation history is unrelated to an image tool and introduces access to potentially sensitive user content. In the context of a supposedly image-only skill, this represents unjustified data access and creates risk of privacy violations, silent collection, or secondary processing of chat histories.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Weekly worklog tracking and automated report generation are unrelated to the advertised image-generation purpose and imply access to organizational or personal productivity data. This unnecessary scope expansion increases the chance that users grant trust or deployment approval to a skill that can process sensitive work records beyond its stated function.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Feishu messaging, task management, and OAuth handling introduce external communications and credential-sensitive flows that are unjustified for an image-generation skill. In this context, they materially increase the attack surface by enabling content exfiltration, token misuse, or unauthorized actions in external collaboration systems.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
TTS generation plus automatic local playback is not required for image generation and introduces local execution/side-effect behavior. While less severe than data-access issues, it still expands the skill into unattended actions that users would not reasonably expect from an image-editing tool.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Knowledge-base indexing and OneDrive synchronization are unrelated to image generation and imply broad access to local files plus external syncing. In an image-skill context, this creates a strong risk of unexpected file discovery, metadata exposure, or cloud exfiltration under misleading expectations about the skill's purpose.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
KML/KMZ parsing and geographic knowledge-base management are outside the expected scope of an image generation/editing skill. Although likely intended as general utility rather than overt abuse, the mismatch still indicates unnecessary capabilities and potential exposure of location-linked personal or organizational data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
An on-demand image tool generally should not define an extensive cron-based automation suite. Scheduled execution increases persistence and opportunity for unnoticed background actions, especially when paired with unrelated capabilities like reminders, syncing, monitoring, and report generation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This AGENTS.md grants sweeping capabilities—email/calendar/social monitoring, arbitrary file editing, git commits/pushes, Chrome launching, web access, and outbound messaging—that are unrelated to an image-generation/editing skill. In a skill context, these instructions expand the agent's authority far beyond user intent and create a prompt-injection path for data access, persistence, and external exfiltration.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill discovery/install workflow instructs the agent to search for, inspect, recommend, and potentially facilitate installation of other skills, which is outside the declared purpose of this image tool. That creates a capability-escalation chain where one skill can bootstrap additional code or instructions into the environment, increasing attack surface and bypassing least-privilege expectations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This section mandates side effects such as generating review artifacts, opening Chrome, synthesizing TTS, sending Feishu notifications, and playing MP3s after installing skills. These actions are unrelated to image editing and create multiple outbound channels and execution surfaces that can be abused for exfiltration, unwanted messaging, or deceptive user interaction.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file content is fundamentally misaligned with the declared skill, which is supposed to generate or edit images using Nano Banana Pro. Instead, it provides a broad tutorial for building a persistent AI agent with chat integrations, memory, automation, and voice features; this scope expansion can mislead users into enabling unrelated capabilities with larger privacy and security consequences. In the context of an image-generation skill, this mismatch is especially dangerous because users may trust and install functionality they did not intend to expose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section introduces unrelated capabilities including messaging platform integration, TTS/STT, long-term memory, cron automation, and smart-home control, none of which are justified by an image-editing skill. Such undocumented capability creep increases attack surface, encourages collection of sensitive data, and may cause users to connect external services or devices under false expectations about the skill's purpose. Because the manifest advertises only image creation/editing, the surrounding context makes these extra instructions more suspicious and riskier.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The bootstrap instructions direct the agent to perform identity formation, maintain user/profile records, and onboard external messaging channels, none of which are necessary for an image-generation/editing skill. This creates dangerous scope expansion: a user invoking an image tool could instead be steered into persistent profiling and off-platform contact setup, increasing privacy, social-engineering, and unauthorized capability risks.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file explicitly tells the agent to collect and store personal/profile data in USER.md and to guide users through linking WhatsApp or Telegram accounts. For an image-editing skill, this data collection and external account onboarding are unjustified and materially increase the risk of privacy violations, retention of unnecessary personal information, and redirection of users into less-monitored channels.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The bootstrap content tells the agent to become a general conversational persona, ask existential identity questions, and establish a custom vibe instead of acting as a narrowly scoped image tool. This mismatch weakens user expectations and safety boundaries, making it easier for the skill to solicit unrelated information or perform actions outside its declared function.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file documents automation for collecting Doubao conversation content and storing it locally, which is unrelated to the declared image-generation/editing purpose of the skill. This capability expansion is dangerous because it enables collection and persistence of potentially sensitive user chat data under a misleading skill context, reducing user scrutiny and violating least privilege.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documented browser automation opens doubao.com, queries page elements, extracts sidebar text, and writes the result to a knowledge base. In an image-editing skill, this is an unjustified data-access pathway that could be used to exfiltrate private conversations or normalize hidden surveillance-like behavior unrelated to the skill's stated function.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The memory file stores extensive personal profile and work/project details—name, timezone, employer, residence, interests, and project status—that are unrelated to an image-generation/editing skill. This creates unnecessary retention of sensitive user data and expands the blast radius if the skill is accessed, misused, or its memory is later consumed by other prompts or tools.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal