ClawHub

ImgBB API

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward ImgBB uploader, with expected privacy and API-key handling caveats rather than evidence of hidden or malicious behavior.

Install this only if you intend to upload selected images to ImgBB. Avoid using it for private, internal, regulated, or sensitive images unless you accept that they may become externally hosted. Prefer IMGBB_API_KEY or ensure ~/.imgbb_api_key is readable only by your account if you use the saved-key option.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation condition is broad enough to trigger on many ordinary requests about sharing images online, which can cause the skill to activate in contexts where the user did not explicitly consent to using ImgBB. Because this skill uploads content to a third-party service, overbroad activation increases the chance of unintended external data disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes image uploading functionality without clearly warning that local images, image URLs, and related metadata will be transmitted to ImgBB, a third-party service. This can lead to privacy and confidentiality issues if users or agents invoke the skill on sensitive images without understanding that the data leaves the local environment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script saves the API key to ~/.imgbb_api_key without setting restrictive file permissions or warning the user that a long-lived secret is being stored locally. On multi-user systems or misconfigured environments, this can expose the credential to other local users or backup/sync processes.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal