ClawHub

Image Generation Studio

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed image-generation CLI wrapper that uses API keys and provider endpoints as expected, with some integration risks around custom endpoints and URL downloads.

Install only if you are comfortable sending prompts and selected input images to configured image providers. Use trusted HTTPS endpoints, prefer environment variables over storing keys in config.json, and prefer b64_json responses when supported to avoid fetching arbitrary provider-returned URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Tainted flow: 'req' from os.environ.get (line 733, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"Referer": "https://x.ai/",
    }
    req = urllib.request.Request(url, headers=headers, method="GET")
    with urllib.request.urlopen(req, timeout=timeout) as r:
        return r.read()
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as r:

Tainted flow: 'req' from os.environ.get (line 733, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers = {**BROWSER_HEADERS, **headers}
    req = urllib.request.Request(url, data=body, headers=headers, method="POST")
    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            return json.loads(resp.read().decode())
    except urllib.error.HTTPError as e:
        detail = e.read().decode(errors="replace")
Confidence
84% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Tainted flow: 'req' from os.environ.get (line 733, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            return json.loads(resp.read().decode())
    except urllib.error.HTTPError as e:
        detail = e.read().decode(errors="replace")
Confidence
84% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill instructs the agent to invoke a CLI that uses network access, may consume environment-provided API keys, and can read local runtime configuration, but the skill declares no explicit permissions. This creates a transparency and policy gap: an orchestrator or reviewer may underestimate the skill’s ability to access secrets-adjacent configuration and send user prompts or images to external providers.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance includes very broad phrases such as "Configure this interface for me" and similar casual language, which can cause the skill to activate in situations beyond explicit image-provider configuration. In this skill's context, unintended activation is more dangerous because the skill is designed to read and modify local configuration, including provider endpoints and potentially credential-handling behavior, so false triggers could lead to unwanted config changes or acceptance of risky provider settings.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal