ClawHub
Back to skill

Security audit

banana

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill mostly does what it claims, but it handles API keys and network destinations in ways users should review carefully before installing.

Install only if you trust this publisher and the NewAPI Banana service. Do not paste a long-lived API key into chat; use a limited, rotatable key in local config or NEWAPI_API_KEY instead, monitor account usage, and be aware that the default endpoint is HTTP and may expose prompts, images, and credentials on the network.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
output_path = args.output or f"/tmp/openclaw/newapi-output/image_{int(time.time())}.png"
    Path(output_path).parent.mkdir(parents=True, exist_ok=True)
    cmd = ["curl", "-s", "-S", "-L", "-o", output_path, "--max-time", "300", image_url]
    dl = subprocess.run(cmd, capture_output=True, text=True)
    if dl.returncode != 0:
        print(f"Download failed: {dl.stderr}", file=sys.stderr)
        sys.exit(1)
Confidence
87% confidence
Finding
dl = subprocess.run(cmd, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--max-time", "10",
            "-H", f"Authorization: Bearer {key}",
        ]
        result = subprocess.run(cmd, capture_output=True, text=True)
        if result.returncode == 0:
            print(json.dumps({
                "status": "ready",
Confidence
94% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes Python and curl, reads reference/data files, and depends on an API key environment variable, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: a host may allow the skill to run with shell, file-read, and env access that users or reviewers were not clearly warned about, increasing the risk of unexpected data access or command execution.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The documentation explicitly tells users they can provide an API key directly in conversation, which encourages secrets to be entered into chat channels that may be logged, retained, forwarded to models, or exposed in transcripts. This expands the skill's trust boundary from local configuration to conversational secret handling without any disclosure-risk warning or clear secure-storage guarantees.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill allows arbitrary host override during --check and then transmits the resolved API key to that destination. In context, this is more dangerous because the script automatically discovers credentials from environment/config, turning a simple connectivity flag into a credential-exfiltration path.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
Forcing Chinese-only responses without user opt-in is a policy and usability issue because it can override user preferences and reduce clarity around important operational details such as cost, errors, or consent prompts. In a skill that performs external API actions and may require setup steps, language coercion can increase the chance of user misunderstanding, though it does not directly create code-execution risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation explicitly tells users to paste their API key into chat so the assistant can configure it for them. Credentials shared through chat may be logged, retained, exposed to the model runtime, or leaked via transcripts and integrations, making this a real secret-handling vulnerability.

Missing User Warnings

High
Confidence
99% confidence
Finding
Telling users to paste API keys into chat is a direct secret-handling anti-pattern because chat content is commonly persisted in logs, histories, analytics systems, and model context. In this skill context, the issue is more dangerous because the skill only needs an API key for image generation and has safer alternatives already documented, so normalizing chat-based secret submission is unnecessary and increases leakage risk.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The file is entirely written as prescriptive Chinese-language operating guidance, which can push the agent to respond in Chinese regardless of the user's language preference. This is primarily a policy and usability issue, but it can also interfere with safe, clear communication during errors or consent-sensitive actions if the user does not understand Chinese.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The code saves a remotely supplied URL response to a local path without validating the source URL, combining outbound fetch with local write. In agent environments this creates a meaningful risk of downloading attacker-chosen content from internal or untrusted locations and persisting it locally.

Ssd 3

Medium
Confidence
97% confidence
Finding
Advising users to provide their API key directly to the chat assistant creates unnecessary credential exposure to the assistant, platform logs, and any connected services. In the context of an agent skill, this is more dangerous because users may assume the assistant is a trusted configuration channel when it is not an appropriate secret-entry interface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal