ClawHub

Banana Claws

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenRouter image-generation skill, but its queue helper can automatically terminate local processes based on editable queue metadata.

Review before installing if you plan to use queue mode. Use a private workspace, avoid sensitive prompts or images unless you approve sending them to OpenRouter, and consider disabling or patching stale-worker cleanup so it only terminates verified worker processes. For single-image generation, the remaining risks are mainly expected API-key, network, and local metadata-retention risks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tainted flow: 'data' from requests.post (line 215, network input) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
if args.save_response_json:
        save_path = pathlib.Path(args.save_response_json)
        save_path.parent.mkdir(parents=True, exist_ok=True)
        save_path.write_text(json.dumps(data, ensure_ascii=False, indent=2) + '\n')

    choices = data.get('choices') or []
    if not choices:
Confidence
88% confidence
Finding
save_path.write_text(json.dumps(data, ensure_ascii=False, indent=2) + '\n')

Tainted flow: 'data_url' from requests.post (line 118, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
b64 = data_url.split('base64,', 1)[1]
        out.write_bytes(base64.b64decode(b64))
    elif data_url.startswith('http://') or data_url.startswith('https://'):
        img = requests.get(data_url, timeout=180)
        img.raise_for_status()
        out.write_bytes(img.content)
    else:
Confidence
97% confidence
Finding
img = requests.get(data_url, timeout=180)

Tainted flow: 'img' from requests.get (line 248, network input) → pathlib.Path.write_bytes (file write)

Medium
Category
Data Flow
Content
elif data_url.startswith('http://') or data_url.startswith('https://'):
        img = requests.get(data_url, timeout=180)
        img.raise_for_status()
        out.write_bytes(img.content)
    else:
        print('Unknown image URL format', file=sys.stderr)
        return 1
Confidence
81% confidence
Finding
out.write_bytes(img.content)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script reads worker_pid values from JSON files in the handoff directory and may send SIGTERM/SIGKILL to whatever process currently owns that PID if the metadata says it is stale. Because PIDs can be spoofed via writable queue metadata or reused by unrelated processes, this can terminate unrelated local processes and cause denial of service or disrupt other workloads.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The optional full-response save persists provider JSON that may include sensitive prompts, metadata, and image references without any notice, minimization, or redaction. In an agent workflow, this increases the chance of inadvertent retention of sensitive user data on disk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends prompts and potentially local baseline images to an external service, including base64-encoded file content, but does not provide an explicit disclosure at transmission time. In this skill context, prompts and attachments may contain user-sensitive or proprietary material, so silent exfiltration to a third party is materially relevant.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code forcibly terminates stale workers automatically and without any operator confirmation or prominent disclosure. In an agent skill that runs automation on a shared local system, this increases the chance of unexpected process termination and makes any PID-mismatch issue more dangerous.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal