ClawHub

Generate/edit images via Tuzi API (default), Google Gemini, OpenAI, DashScope, Replicate. Text-to-image + image-to-image editing; 1K/2K/4K resolution. Use for image create/modify/edit requests incl. --input-image.

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its image-generation purpose, but unsafe shell command construction and under-disclosed proxy handling create review-worthy risk.

Install only if you trust the publisher and understand that prompts, API keys, and any input images may be sent to selected third-party image providers. Avoid using untrusted filenames or directories as --input-image, avoid running it in projects with untrusted .tuzi-skills/.env files, and be careful with proxy environment variables because the Google path can route sensitive API traffic through them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code interpolates a user-controlled file path into a shell command passed to execSync. Although the path is wrapped in double quotes, shell metacharacters such as command substitution ($()) inside double quotes can still be evaluated, enabling command injection if an attacker supplies a crafted --input-image value.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
When proxy environment variables are present, the provider switches from native fetch to execSync with a shell-constructed curl command. Because both the proxy value and API key are interpolated into the shell command, an attacker who can influence environment variables can trigger shell injection or force sensitive requests through an attacker-controlled proxy, which exceeds the normal risk expected for an image-generation provider.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill explicitly instructs saving outputs into the user's current working directory and accepts a user-provided filename/path, but it does not warn that this performs filesystem writes and may overwrite existing files. In practice, this can cause accidental clobbering of user files or writes to unintended locations if paths are reused or not constrained.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The proxy code path sends the full request body and x-goog-api-key through a proxy selected from environment variables, with no explicit user acknowledgement or restriction. In this skill, the payload can include user prompts and base64-encoded input images, so an attacker-controlled proxy can observe or tamper with highly sensitive content and credentials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
If --input-image is provided, the code reads the local file, converts it to a data URL, and includes the full image contents in the request body sent to Replicate. In an image-editing skill this transfer is expected, but without a clear user-facing notice or consent checkpoint at the moment of upload, users may unintentionally transmit sensitive local images to a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When --input-image is used, the code reads the local file and embeds its full contents as a base64 data URL in the request body sent to the remote Tuzi API. In an agent skill context, users may not realize that a local file they reference is being uploaded off-host, which can expose sensitive images or metadata to a third party.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal