ClawHub

Vision Sandbox

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises: it sends a chosen image and prompt to Gemini for vision analysis using Google's remote code-execution sandbox.

Install only if you are comfortable sending the chosen images, screenshots, prompts, and resulting analysis to Google Gemini under your API key. Avoid submitting secrets, credentials, private customer data, or confidential screenshots unless that is allowed by your data-handling policy, and use a constrained or monitored Gemini key where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README explicitly suggests using the vision skill not only to analyze a screenshot but also to update `styles.css` accordingly, expanding the skill from visual inspection into code/file modification. That broadens the trust boundary and can cause an agent to make repository changes based on image-derived output without clear authorization or scope limits.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill prints model-generated executable code and sandbox execution results directly to the user. In a vision-oriented skill, exposing arbitrary generated code broadens the capability surface and can leak sensitive data derived from the sandbox run, normalize unsafe copy/paste execution by users, or reveal unintended behaviors beyond the advertised vision use case.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill requires a sensitive credential (GEMINI_API_KEY) but does not warn users about secure handling, storage, or the risks of exposing that key in logs, shells, or shared environments. While this omission does not itself leak the key, it increases the chance of accidental credential disclosure during installation and use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that Gemini writes and runs Python code in a Google-hosted sandbox, but it does not clearly warn users that submitted images, prompts, and derived data are transmitted to an external service for processing. In a vision and UI-auditing context, those images may contain sensitive screenshots, proprietary interfaces, personal data, or credentials, making the missing disclosure materially risky.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal