Back to skill

Security audit

DesignKit SKU 套图生成器

Security checks across malware telemetry and agentic risk

Overview

This skill mostly performs image and ecommerce generation as described, but it has serious review concerns around credential logging, unsafe command input handling, and under-scoped database access for SKU workflows.

Review before installing. Use it only in a controlled workspace, set OPENCLAW_REQUEST_LOG=0 before running, avoid untrusted JSON or paths, verify any DB_* configuration and SKU table before use, and rotate the DesignKit API key if it has already been used with default logging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill advertises itself as a router for image editing and ecommerce image generation, but the documented behavior adds a SKU-driven pipeline that queries a database and may load external environment configuration. That expands the trust boundary from user-supplied image processing into backend data access and automation, which can expose internal product data, secrets, or unintended operational actions if the SKU path is triggered or misused.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The manifest says the skill routes to two sub-skills, but the body introduces a third SKU-based workflow with materially different capabilities. This kind of documentation/behavior drift is dangerous because reviewers and users may approve the skill under a narrower mental model while the runtime can invoke a more privileged path involving automated data retrieval.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Automatic database queries are a significant expansion beyond a stated image-editing/routing purpose. Even without obvious malicious intent, hidden backend data access increases risk of unauthorized data exposure, excessive privilege, and misuse through prompt-triggered execution paths that operators may not expect from an image tool.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script automatically loads environment files from hard-coded locations and reads database credentials to pull product data, even though the skill is described as image-processing/routing oriented. This creates unnecessary access to local secrets and internal data sources, increasing the blast radius if the skill is invoked in a privileged environment.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code performs schema inspection and arbitrary table-based SKU lookup, which expands capability beyond the stated skill purpose and gives the script direct access to internal database contents. In an agent setting, this kind of hidden data-source reach can expose sensitive business data or enable unintended reconnaissance of the database schema.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow description explicitly instructs shell execution of a script and describes multiple external network calls, yet provides no user-facing disclosure, consent checkpoint, or constraints on what data may be transmitted. In an agent environment, hidden shell/script execution combined with remote API submission can cause unintended command execution paths and silent exfiltration of user-supplied content or metadata to third-party services.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The request logger emits full curl commands including all headers and request bodies to stderr. Because authenticated requests include the X-Openclaw-AK header, anyone with access to logs, terminal captures, CI output, or agent transcripts can recover the API key and potentially sensitive user prompts or image URLs. In an agent skill context, verbose stderr is especially risky because logs are often centrally collected or surfaced to users/operators.

Missing User Warnings

High
Confidence
99% confidence
Finding
The request logging helper prints a fully reproducible curl command to stderr and explicitly includes the complete X-Openclaw-AK value. In many agent/tooling environments stderr is captured in user-visible traces, CI logs, chat transcripts, or observability systems, so this directly leaks the API credential and enables unauthorized API use.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The workflow sends product image URLs and product copy to an external DesignKit service, but there is no explicit consent, warning, or data-classification control around that transfer. In an enterprise agent context, silent transmission of internal product assets or unreleased marketing text to a third-party service can create confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs automatic downloading of generated images to the local filesystem and details fallback output paths, but it does not require explicit user consent at the moment of write. In an agent setting, silent file creation can surprise users, leak sensitive output into persistent locations, or write into directories the user did not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that a helper script will automatically upload local images, but it does not warn users up front that supplying a local path or URL causes image data to be transmitted to external services. This can lead to unintended disclosure of sensitive images, file contents, or internal URLs/metadata, especially because users are prompted to provide local paths directly as normal input.

Ssd 3

High
Confidence
100% confidence
Finding
The logger prints plaintext authenticated HTTP requests, including the API key header and full JSON payloads. This directly exposes credentials and potentially user-supplied business data, prompts, and image references, enabling account misuse, unauthorized API consumption, and privacy leakage if logs are accessible. The skill context increases severity because agent platforms frequently persist stderr/stdout and make them available to operators or downstream systems.

Ssd 3

Medium
Confidence
96% confidence
Finding
The response logger dumps full API responses, which may contain uploaded image metadata, generated commercial assets, internal task data, or other sensitive user content. In shared agent or CI environments, this can leak proprietary product imagery and prompts beyond intended recipients. The risk is somewhat lower than credential exposure, but still meaningful because generated assets and business inputs may be confidential.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.