ClawHub

AI Image & Video Generator | WIME

Security checks across malware telemetry and agentic risk

Overview

This WIME image-processing skill is mostly purpose-aligned, but it needs review because its auth helper can print the user’s WIME access token.

Install only if you trust WIME with the images and URLs you provide. Avoid using sensitive, private, customer, or unreleased product images unless WIME’s data handling is acceptable to you. Do not run or share output from scripts/wime_auth.py unless the token is removed or masked, and keep WIME_BASE_URL pointed at the intended WIME endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs callers to send image URLs to a remote API but does not warn that user-supplied images may be transmitted to a third-party service, potentially exposing personal, proprietary, or regulated data. In an e-commerce image-processing skill, users may upload product photos that contain sensitive metadata, people, locations, or unreleased product imagery, so missing privacy disclosure increases the risk of unintended data sharing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly states that uploaded images are returned as directly accessible URLs, but it provides no warning that these URLs may expose user-uploaded content publicly. In an e-commerce image-processing skill, users may upload proprietary product assets, customer images, or pre-release marketing materials, so omission of privacy guidance can lead to unintended data disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The CLI prints the full authentication structure, including the `access-token` header sourced from the environment. That exposes the bearer token to terminal history, logs, CI output, screenshots, or any caller that captures stdout, enabling unauthorized API use if the token is reused. In this skill context, the script is explicitly an auth helper, so accidental secret disclosure is more dangerous because users are likely to run it during setup and copy its output into other tools.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal