ClawHub

Axiom Color Palette

Security checks across malware telemetry and agentic risk

Overview

The package appears non-destructive, but it is advertised as an image color extractor while the actual code is only a hex-color harmony generator.

Review before installing. This skill looks locally contained and non-destructive, but do not rely on it for image-based palette extraction; install it only if you want a simple hex-color harmony generator, or wait for the publisher to align the metadata, docs, and implementation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The README describes a completely different capability than the manifest: a single-color harmony generator rather than an image-based dominant-color extractor. This kind of capability mismatch can mislead users, agents, or policy systems into invoking the skill in inappropriate contexts, causing incorrect outputs, broken workflows, and trust failures around what code will actually do.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The README explicitly states 'Pas d'extraction depuis image' while the manifest claims the tool extracts dominant colors from PNG/JPEG/GIF images. This direct contradiction is dangerous because it guarantees operator confusion and makes automated selection or security review based on metadata unreliable.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata promises image-based dominant-color extraction, but the implementation actually generates harmony palettes from a user-supplied base hex color. This semantic mismatch is a real integrity and trust vulnerability in agent tooling because downstream systems may invoke the skill expecting image parsing, validation, and deterministic extraction behavior that does not exist, leading to unsafe automation decisions or hidden capability substitution.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module documentation explicitly states that image extraction is not supported and that the tool generates harmonies from a base color, directly contradicting the stated skill purpose. In an agent ecosystem, contradictory self-description increases the chance that orchestrators, reviewers, or users misunderstand the real behavior, which can cause incorrect routing, unreliable outputs, and erosion of security assurances around declared capabilities.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The generate() docstring confirms the function operates on a base hex color rather than an image, reinforcing that the implementation does not match the advertised contract. While this is less severe than the top-level manifest mismatch, it still contributes to deceptive or unreliable integration behavior by documenting an API different from the expected skill capability.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal