ClawHub
Back to skill

Security audit

bizyair-banana2

Security checks across malware telemetry and agentic risk

Overview

This is a coherent BizyAir cloud image-generation skill, but users should know prompts and selected reference images are sent to BizyAir and paid API usage can incur charges.

Install only if you trust BizyAir with the prompts and reference images you choose to submit. Avoid confidential or personal images unless you accept third-party processing, keep the API key scoped and private, monitor pay-per-use spending, and prefer explicit invocation over relying on the broad triggers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill clearly relies on an external BizyAir API, yet the description does not prominently warn that user prompts, reference images, and API credentials or credential-derived requests are sent to a third-party service. In this context, the omission is significant because the skill handles potentially sensitive creative prompts and local images, so users may unknowingly transmit private data off-host.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The triggers "BizyAir" and especially "Banana" are ambiguous terms that may appear in unrelated contexts, with "Banana" being a common English word and "BizyAir" potentially referenced informationally rather than as an invocation. Because this skill performs cloud image generation and is billed per use, ambiguous activation phrases increase the risk of unintended execution and external service usage.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The triggers "BizyAir" and especially "Banana" are ambiguous terms that may appear in unrelated contexts, with "Banana" being a common English word and "BizyAir" potentially referenced informationally rather than as an invocation. Because this skill performs cloud image generation and is billed per use, ambiguous activation phrases increase the risk of unintended execution and external service usage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script uploads user-supplied reference images to BizyAir and later downloads generated outputs, but it does not provide an explicit privacy or data-transfer warning before sending potentially sensitive local images to a third-party service. In an agent-skill context, this can cause users to disclose confidential or personal images without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.