ClawHub

AI Image Generation

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only image generation skill whose provider API use and local preference memory are disclosed and aligned with its purpose.

Install if you are comfortable sending prompts and reference images to the image providers you choose. Use scoped or budget-limited API keys, do not paste secrets or confidential material into prompts, and periodically review or delete ~/image-generation/memory.md and history.md if they may contain sensitive project context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill includes runnable examples that send prompts and related data to a third-party API using an API key, but it does not warn users that their prompts, images, or metadata will be transmitted off-platform. This is not overtly malicious, but it can lead to inadvertent disclosure of sensitive or proprietary content if users paste confidential data into prompts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs creation of a persistent local memory file without informing the user that session-derived data will be stored on disk. This can lead to unintended retention of preferences or project details, which is risky on shared machines or when users do not expect persistence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The memory update instructions direct the agent to store session-derived preferences, successful prompt patterns, and ongoing project style constraints without a privacy warning or consent step. Even if not obviously secret, this information can reveal sensitive creative work, business context, or user habits over time.

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://cloud.leonardo.ai/api/rest/v1/generations",
    headers={
        "Authorization": f"Bearer {LEONARDO_API_KEY}",
Confidence
86% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://cloud.leonardo.ai/api/rest/v1/generations",
    headers={
        "Authorization": f"Bearer {LEONARDO_API_KEY}",
Confidence
86% confidence
Finding
requests.post( "https://cloud.leonardo.ai/api/rest/v1/generations", headers={ "Authorization": f"Bearer {LEONARDO_API_KEY}", "Content-Type": "application/json" }, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal