ClawHub

Ai Image Generation

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward image-generation helper for ricebowl.ai, with disclosed CLI install and API-key use, but users should watch for broad triggers and paid-credit usage.

Install only if you intend to use ricebowl.ai through the ai-media-generator CLI. Use a dedicated API key if possible, confirm the base URL, and remember that generation may consume credits or quota. If you do not read Chinese, verify the command examples before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "image generator" is very broad and matches common user wording outside a tightly scoped skill-routing context. This can cause unintended activation of the skill, which may steer users into this workflow when a more specific or different skill would be more appropriate.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The phrase "text to image" is a generic capability description used across many products and workflows, so using it as a bare trigger increases the chance of accidental invocation. In an agent environment, overbroad routing can expose users to the wrong commands, assumptions, and API-key setup steps.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger "image to image" is ambiguous and broadly used in AI, design, and editing conversations, making accidental activation likely. This is risky because the skill includes operational guidance and command templates that may not match the user's actual context.

Vague Triggers

Medium
Confidence
90% confidence
Finding
"Prompt to image" is a generic phrase that can appear in many ordinary AI-art discussions, so using it directly as a trigger can misroute conversations. In this skill, that could lead to unnecessary onboarding, API-key handling instructions, or CLI-specific responses when the user did not ask for them.

Natural-Language Policy Violations

High
Confidence
88% confidence
Finding
The skill text explicitly directs handling requests in Chinese without any indication that the user requested Chinese, which can override user language preference and impair comprehension. In a security-sensitive assistant context, forced language switching can cause users to misunderstand commands, API-key steps, or billing/setup instructions, increasing the chance of misuse or accidental credential exposure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal