ClawHub

Meitu Skills

Security checks across malware telemetry and agentic risk

Overview

This Meitu toolkit is mostly a disclosed media-generation integration, but it needs Review because it stores cross-session visual memory/profile data and has permission and privacy-disclosure mismatches.

Install only if you are comfortable granting Meitu CLI access to your API credentials, sending media and generated prompts to Meitu OpenAPI, and allowing the skill pack to store outputs and visual preference/profile memory under the OpenClaw workspace. Review or disable memory/profile recording if you do not want photos, appearance details, style preferences, or project constraints reused across sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (202)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The registry exposes substantial audio generation and React/TSX code-generation capabilities that are outside the skill’s declared image/video editing scope. This creates a capability mismatch that can mislead upstream policy, reviewers, or users and may allow invocation of higher-risk functions under a less scrutinized manifest.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill’s stated scope is limited to ID-photo generation, yet it also persists user preferences and observations into project/global memory. This creates hidden state and data retention beyond what is necessary for the task, which can surprise users and expand privacy risk if appearance/style preferences are stored without clear, explicit consent.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file claims the skill only performs ID-photo generation, but later instructs writing user preference data into project memory, scene files, or global preference files. This mismatch is dangerous because it conceals broader data handling and can lead to unauthorized persistence of personal appearance preferences across contexts.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill claims to only perform image repair, but it also reads and writes persistent preference/history data under the Record section. This expands scope from transient image processing into durable user profiling, creating privacy and data-minimization risks that are not necessary for the stated function.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The protocol explicitly instructs the agent to resolve environment variables and use a persistent workspace under OPENCLAW_HOME to read and write user/project memory across sessions. For an image-editing skill, this expands data access beyond the immediate task and creates unnecessary cross-session persistence, which can expose user preferences, project metadata, and filesystem context without clear necessity or bounded consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The document authorizes creating and modifying a broad shared filesystem hierarchy, including projects, memory, rules, and assets, under a cross-agent workspace. That gives the skill write capability over durable shared state unrelated to a single edit request, increasing the blast radius of mistakes, prompt-injection abuse, or over-collection of user data.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The protocol says not to create the visual memory directory automatically, but later instructs the agent to create observation storage if it does not exist. This inconsistency can cause the agent to create persistent storage unexpectedly, defeating the earlier safeguard and leading to unanticipated retention of user feedback.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill goes beyond transient image editing and explicitly stores, merges, and promotes user preferences into persistent project/global memory files. This creates unnecessary retention of behavioral data and can surprise users by carrying preferences across tasks or projects without a strong privacy boundary tied to the core product-swap function.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill’s primary purpose is image generation, but it also persists user preferences and may modify project or global memory files. This expands behavior beyond the user’s likely expectation and creates a data-governance risk because conversational feedback can be stored and reused across sessions or projects.

Scope Creep

High
Confidence
99% confidence
Finding
The documented Record workflow writes to files such as ./DESIGN.md and $VISUAL/memory/scenes/{scope}.md or global.md, but the manifest only declares write access to ~/.openclaw/workspace/visual/. This mismatch means the skill behavior exceeds its declared permission boundary, undermining trust and enabling unauthorized modification of project files or broader preference stores.

Scope Creep

High
Confidence
95% confidence
Finding
The skill instructs reading and writing `$VISUAL/memory/observations/observations.yaml`, but the manifest only broadly grants access to `~/.openclaw/workspace/visual/` and does not clearly justify persistent memory mutation for a sticker-generation feature. This creates unnecessary access to user/project memory and enables silent persistence of preferences or other data beyond the immediate task, increasing privacy and integrity risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The Record section adds persistent preference tracking and promotion logic unrelated to generating stickers. Even if intended as convenience, storing and promoting user preferences across sessions expands data retention and can modify project state without a strong functional need, creating avoidable privacy and behavioral risks.

Scope Creep

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read project files such as DESIGN.md, quality.yaml, global.md, and scene files that are not declared in the manifest’s allowed read paths. This creates a permission mismatch where the documented workflow encourages broader data access than the sandbox policy communicates, increasing the risk of unintended project data exposure or policy bypass if an agent follows the instructions literally.

Scope Creep

Medium
Confidence
97% confidence
Finding
The Record step tells the agent to persist observations into workspace memory files, but those specific memory paths are not declared in the permissions. Persistent writes outside the declared scope can lead to unauthorized retention of user preferences and create a mismatch between what the skill requests operationally and what it has transparently declared.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill claims local profile and memory data never leaves the device, but later instructs the agent to read that data and embed user-specific details into prompts sent to the Meitu API. This is a privacy-deception issue: sensitive local context can be exfiltrated indirectly via prompt content even if raw files are not uploaded.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file instructs the agent to persist user preferences and profile-related data across sessions, creating a memory capability beyond one-shot image editing. Even if intended to improve personalization, this expands data retention and secondary use of user data without any visible consent, minimization, or retention controls, which increases privacy and abuse risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill stores personal profile attributes including gender, name, and appearance-related key features in PROFILE.md. This is sensitive personal data for an editing tool, and collecting it without strong necessity, clear disclosure, and controls raises privacy risk, especially since reference photos can also be linked to the profile.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The protocol instructs the agent to persist identity facts to PROFILE.md and reference photos to assets/references/user.jpg, which introduces storage of sensitive personal data not disclosed by the skill's stated image/video editing toolkit description. This creates a privacy and data-minimization issue because users may not reasonably expect long-term retention of identity attributes and photos across tasks without explicit notice and consent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The document defines cross-project observation tracking and promotion into scene/global memory, enabling longitudinal profiling of user preferences beyond a single editing session. Because this persistence is not reflected in the manifest description, it undermines informed consent and broadens the data collection scope in a way that can surprise users.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The background-swap workflow explicitly allows the agent to read user memory and infer a scene when the user did not specify one. That extends processing beyond the user's immediate request and can surface sensitive personal context in outputs without clear necessity or consent, creating a privacy leakage risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This workflow directs the system to extract facial/profile features from a generated result and persist them into ./visual/PROFILE.md on first use. Persisting biometric-adjacent appearance data is not necessary for a one-off image editing task and creates an enduring privacy risk if the data is later reused, exposed, or combined with other profile information.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The universal/workflow rules normalize reading USER.md, MEMORY.md, SOUL.md, and daily memory to drive generation across many scenarios. This broad personal-context harvesting exceeds what is strictly required for an image/video editing toolkit and increases the chance of unnecessary collection, inference, and disclosure of sensitive user information.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill requests access to a credentials file and writable project paths without a prominent user-facing warning about secret handling or local file modification. In a tool that can read `~/.meitu/credentials.json` and write project artifacts, weak disclosure increases the risk of users authorizing sensitive access they do not fully understand.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The text-generation tool uses broad triggers such as general writing/help requests that overlap heavily with ordinary conversation. In an agent setting, that increases the chance of accidental tool invocation, causing unintended disclosure of user content to external services or unexpected action without clear user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The code-generation triggers include broad phrases like making a page or generating code, which can match ordinary brainstorming or design discussions. In a system with automatic tool routing, this can invoke code generation unexpectedly and escalate from conversation to artifact creation, including use of external models or unreviewed code output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal