ClawHub

Kie Ai Skill

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its image-generation purpose, but unsafe input handling and API-key forwarding create review-worthy risk before installation.

Review before installing. Use a limited KIE API key, avoid passing untrusted text to `models --category`, keep Drive upload disabled unless needed, and delete `images/` plus `.task-state.json` when prompts or outputs are sensitive. A safer release should validate download hosts before sending Authorization headers and replace the inline `python3 -c` category handling with a properly parsed script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Tainted flow: 'req' from os.getenv (line 158, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
}
        req = urllib.request.Request(url, headers=headers)
        
        with urllib.request.urlopen(req, timeout=30) as response:
            with open(output_path, 'wb') as f:
                f.write(response.read())
        return True
Confidence
83% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as response:

Tainted flow: 'req' from os.getenv (line 59, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
}
        req = urllib.request.Request(url, headers=headers)
        
        with urllib.request.urlopen(req, timeout=30) as response:
            with open(output_path, 'wb') as f:
                f.write(response.read())
        return True
Confidence
92% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents capabilities to read environment variables, read/write local files, invoke shell commands, and make network requests, but it does not declare permissions in the manifest. That creates a transparency and governance gap: operators cannot accurately assess or constrain what the skill can access before installation, which is especially relevant because it handles API keys and transmits prompts/files to third-party services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The top-level description understates behavior by framing the skill primarily as an image-generation wrapper while the documentation shows additional external service usage, balance checking, and broader capability claims. Description-behavior mismatches are dangerous because users and policy engines may approve the skill under incomplete assumptions, leading to unintended data disclosure or broader-than-expected execution.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The security statement says no telemetry or usage data is collected by the skill itself, but the same document states that local task history and usage tracking are stored on disk. Even if the data is only local, this contradiction can mislead users about retention and privacy, causing sensitive prompts, task metadata, or generated-file references to be persisted unexpectedly.

Intent-Code Divergence

High
Confidence
84% confidence
Finding
The configuration guidance instructs users to set a MATON_API_KEY and visit Maton service URLs, which is inconsistent with the rest of the skill's kie.ai branding and Google Drive workflow. This can misdirect users into disclosing credentials to an unrelated service, creating a real risk of credential confusion, accidental secret exposure, and unsafe cross-service trust assumptions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security manifest states that no data is sent anywhere except two kie.ai endpoints, but the implementation can also upload generated files to Google Drive. This misleading disclosure can cause users or reviewers to underestimate external data transmission and approve the skill under false assumptions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security manifest claims data is only sent to a specific endpoint, but the actual code uploads file contents to a different URL (`.../files?uploadType=multipart`). Misstated network destinations undermine trust and reviewability, and can cause operators to approve exfiltration behavior under false assumptions.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The security manifest states that no data is sent to endpoints other than the listed API, but the implementation downloads images from result URLs that may point to arbitrary external hosts. This mismatch can mislead reviewers and operators about the real network exposure, obscuring the credential-leak risk in the download path.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README promotes optional Google Drive upload without prominently warning that generated files are sent to third-party services and may be stored remotely for long periods or indefinitely. In an agent skill context, unclear disclosure can lead users to unintentionally exfiltrate sensitive prompts or outputs to external providers, increasing privacy and data handling risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The autonomous invocation guidance uses a broad natural-language trigger ('Generate a cyberpunk city image with kie.ai') without clear confirmation or policy boundaries. In agentic environments, such broad triggers can lead to unintended execution, causing prompt data to be sent to external APIs and potentially consuming paid credits without explicit user consent at the moment of action.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The module persists full task state, including user prompts, arbitrary metadata, and potentially result data, to a predictable JSON file on local disk without any access controls, minimization, encryption, or user disclosure. In this skill's context, prompts and model outputs may contain sensitive user data, API-related context, or proprietary content, so local persistence increases the risk of unintended disclosure to other local users, backups, logs, or later processes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal