ClawHub
Back to skill

Security audit

LrshuAI Text To Image

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be an image-generation helper, but it asks the agent to bypass the normal runner while sending an API key and user content to a configurable remote endpoint.

Review before installing. Use only a limited `TEAM_API_KEY`, verify that `TEAM_BASE_URL` is unset or points to a trusted service, and do not pass local images or videos unless you intend to upload them. Prefer a version that uses the standard runner or explains why direct Python execution is required.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tainted flow: 'endpoint' from os.getenv (line 39, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
print(f"Invoking model: {args.model} ...")
    try:
        response = requests.post(endpoint, headers=headers, json=payload)
        response.raise_for_status()
        result = response.json()
Confidence
95% confidence
Finding
response = requests.post(endpoint, headers=headers, json=payload)

Tainted flow: 'poll_endpoint' from os.getenv (line 132, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
while True:
            time.sleep(3) # 每3秒查询一次
            poll_resp = requests.get(poll_endpoint, headers=headers)
            poll_resp.raise_for_status()
            poll_data = poll_resp.json()
Confidence
94% confidence
Finding
poll_resp = requests.get(poll_endpoint, headers=headers)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill requires an environment API key and instructs direct execution of a Python script that will contact external services, yet it declares no permissions. This creates a transparency and policy-enforcement gap: an agent or user may invoke code with network and secret access without explicit consent boundaries or capability review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a text-to-image tool, but the broader behavior indicates generic remote model invocation with support for image/video inputs and video-generation flows. This mismatch is dangerous because users and orchestrators may grant it access under a narrow trust assumption while it can process and exfiltrate richer media inputs to external services.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation condition is broad—effectively 'when the user asks to call this skill' or when image generation is needed—without precise trigger boundaries. Overbroad triggering can cause unintended execution of a Python script and external API calls, especially in ambiguous conversations or when a safer/local alternative should have been used.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown instructions do not clearly warn that using the skill consumes an API key and executes a Python script that sends prompts or other data to external services. This undermines informed consent and increases the risk of unreviewed secret use, unexpected network activity, and disclosure of sensitive user content to third parties.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script sends prompts and optionally base64-encoded local images or videos to a remote service, but provides no explicit disclosure, confirmation, or safety boundary around that transfer. In a text-to-image skill context this transmission is expected functionality, but it is still security-relevant because local file contents may contain sensitive data and are silently uploaded to an external party.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.