ClawHub

Memorable Image Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Gemini-based image generation skill with expected external API use, but users should understand that prompts are sent off-device.

Install only if you are comfortable sending image prompts and any input images to the configured Gemini endpoint. Do not include secrets, regulated personal data, or proprietary material in prompts unless that external sharing is approved, and review the configured API key and base URL before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares runtime requirements that enable access to environment variables, local files, file writes, and outbound network calls, but it does not declare corresponding permissions or clearly constrain those capabilities. This can mislead users and host systems about the skill's effective access level, reducing informed consent and weakening sandbox or policy enforcement around sensitive data and external transmission.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger text includes a very broad activation condition such as 'any image generation request where memorability is a goal,' which can cause the skill to activate in more contexts than users expect. Over-broad invocation increases the chance that prompts or sensitive content are sent to external services without deliberate user intent to use this specific skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description explains that Gemini is used, but it does not present a clear user-facing warning at the point of use that prompts are transmitted to an external image-generation API. Users may provide confidential, regulated, or proprietary content under the assumption processing is local, leading to unintended disclosure to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal