ClawHub

Lora Pipeline

Security checks across malware telemetry and agentic risk

Overview

This LoRA training skill is mostly coherent, but it needs review because it handles face datasets, encourages login-bypassing image scraping, uploads data to RunPod, and leaves some cleanup and overwrite risks under-scoped.

Install only if you are comfortable with a cloud-based face-image LoRA workflow. Before use, confirm rights and consent for all images, avoid login-bypassing mirror sites, review any ZIP contents before extraction, make backups of existing captions, verify the RunPod account/costs, and manually confirm that pods and remote datasets are deleted after training.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill's privacy section says image and caption contents must not be read or analyzed, yet the documented workflow explicitly performs face verification, quality filtering, cropping, and WD14 caption generation. This contradiction creates unsafe operator ambiguity: an agent may either ignore the privacy controls or skip essential processing, leading to improper handling of sensitive biometric data and inconsistent enforcement of local-only safeguards.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation description is broad enough to match common requests like building a dataset, collecting photos, or training a LoRA, which can cause the skill to trigger in situations the user did not intend. Because this skill orchestrates scraping, face verification, and model training around personal images, accidental activation can initiate privacy-sensitive or policy-sensitive workflows without sufficient user confirmation or scope checks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs use of Instagram mirror sites to bypass login, which encourages circumvention of platform access controls and can expose users to privacy, legal, and security risks. Mirror/scraper sites are often untrusted intermediaries that may violate terms of service, collect browsing data, or serve manipulated content, and the skill provides no warning or consent boundary.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The workflow automatically unzips user-supplied archives into a local staging directory without warning or any mention of safe extraction controls. Untrusted ZIP extraction can write unexpected files, consume disk space, and, if path traversal protections are not enforced by the tooling/environment, potentially place files outside the intended staging area.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script opens a sidecar .txt file in write mode for every image and unconditionally overwrites any existing file with the same basename. In batch use, this can destroy prior annotations, prompts, captions, or other user data in the target directory without warning, making it a real integrity issue even though it is not code-execution related.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal