clawimage-free

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward portrait image-generation skill that uses curl to send prompts to a disclosed third-party image API, with no install-time code or persistence found.

Install only if you are comfortable sending image prompts and generation parameters to diversityfaces.org. Avoid real names, private likeness details, confidential creative material, or other sensitive personal information in prompts, and review downloaded image filenames and locations before reuse.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger guidance is broad enough to activate on common portrait-related phrases, which can cause the skill to be invoked when the user did not explicitly consent to using this third-party image service. Because invocation sends prompts to a remote endpoint and can generate content automatically, over-triggering increases privacy and unexpected-action risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill promotes easy use of a no-auth remote API but does not clearly warn users up front that their prompts and resulting image requests are transmitted to a third-party service. This can lead to inadvertent disclosure of sensitive, personal, or proprietary information in prompts without informed consent.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal