ClawHub

Poetry Daily Art

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent poetry image generator, with manageable risks around a third-party image CLI, local file paths, optional cron use, and cleanup of prior generated images.

Install only if you trust the MiniMax/mmx CLI and want poetry prompts sent to that image service. Check the hardcoded workspace paths before running, use a dedicated API key if possible, preserve any image_*.jpg or image_*.png files you care about in the output directory, and enable cron or chat delivery only if you want automatic daily messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script unconditionally deletes existing image_*.jpg and image_*.png files in a user workspace directory before generating a new image. Even though the path is hard-coded and quoted, this can still cause unintended data loss and overwrite prior outputs without user awareness, which is risky for an automated skill triggered by chat or cron.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script builds a prompt using poem titles sourced from local progress and memory files, then sends that content to the external 'mmx image' tool. If that tool invokes a remote service, locally derived content is disclosed externally without any explicit notice, consent, or data classification checks, creating a privacy and data-governance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal