ClawHub

火山引擎图片生成

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Volcengine image-generation skill that sends prompts to an external API and saves returned images locally, with some credential-handling and hardening cautions.

Install only if you intend to use Volcengine Ark for image generation. Provide ARK_API_KEY through the environment or the platform's secret settings, not as a command-line argument, and avoid sending sensitive prompts. Expect generated images to be downloaded and saved locally, and review the output files before sharing or reusing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

Tainted flow: 'img_url' from requests.post (line 56, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
print(f"URL: {img_url}")
        
        # 下载图片
        img_response = requests.get(img_url)
        if img_response.status_code == 200:
            # 保存到当前目录
            timestamp = int(time.time())
Confidence
89% confidence
Finding
img_response = requests.get(img_url)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill performs network access and reads an environment variable, but it does not explicitly declare corresponding permissions beyond an env requirement hint in metadata. This weakens platform-level review and user awareness because the skill can transmit user prompts and secrets externally without a clear permission contract.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The skill accepts a secret from command-line arguments and then persists it into the process environment, which expands exposure beyond the immediate parsing step. Command-line arguments are commonly visible to process listings, logs, shell history, and orchestration tooling, making this an unnecessary and risky way to handle credentials for a simple image-generation task.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Reading credentials from process arguments is not justified by the skill's purpose and creates avoidable secret exposure. In many environments, argv values can be inspected by other local users, captured in job metadata, or retained in shell history, turning the API key into a recoverable credential.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation wording is broad enough to match ordinary image-generation requests, which can cause the skill to run unexpectedly. Because execution includes external API calls and local file writes, accidental triggering expands the chance of unreviewed data transmission and side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description emphasizes image generation but does not clearly warn that the resulting image will be automatically downloaded and written to disk. Hidden side effects reduce informed consent and can surprise users in environments where local writes are sensitive or restricted.

External Transmission

Medium
Category
Data Exfiltration
Content
}

# 发送请求
response = requests.post(url, headers={
    'Authorization': f'Bearer {api_key}',
    'Content-Type': 'application/json'
}, json=data)
Confidence
90% confidence
Finding
requests.post(url, headers={ 'Authorization': f'Bearer {api_key}', 'Content-Type': 'application/json' }, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal