ClawHub

Image Hosting for agents

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only image-hosting skill whose public upload, API-key, delete, and retention behaviors are disclosed and aligned with its purpose.

Install this only if you intend to publish selected images through AgentImgHost. Treat uploaded images as public, keep the API key private, confirm the exact file or image ID before upload or deletion, and disable circular overwrite if preserving older hosted images matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill emphasizes that uploaded files are immediately accessible worldwide via a direct public CDN URL, but it does not prominently warn that sensitive screenshots or personal images will become public. An agent following this guidance could upload confidential material without informed user consent, causing unintended data exposure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The delete API is presented as a simple operation without a warning that deletion is destructive and may not be recoverable. In an agent context, this increases the chance of accidental data loss if an agent deletes the wrong image or acts without explicit confirmation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The circular overwrite behavior automatically deletes the oldest image when limits are reached, but the skill does not foreground this as a destructive retention policy. An agent using the service for storage could unintentionally trigger silent deletion of prior images, leading to hard-to-detect data loss.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal