ClawHub

lovart skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Lovart.ai API integration, but it can send design prompts to Lovart and may consume API credits.

Install this only if you intend to use Lovart.ai. Configure LOVART_API_KEY in a trusted environment, avoid sending confidential product plans, customer data, secrets, or unreleased brand material unless third-party processing by Lovart is acceptable, and consider confirming before broad design-generation requests that may use paid credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases include very broad, generic requests such as 'AI 设计生成', '生成产品图片', and '创建营销素材', which can overlap with ordinary user intents unrelated to this specific integration. In an agent ecosystem, this can cause unintended activation and unnecessary routing of user prompts to an external API-backed skill, increasing privacy and cost exposure.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to match many generic design and image-generation requests, which can cause the platform to invoke this skill unexpectedly. That increases the chance of misrouting user intent to an external API, leading to unintended data sharing, unnecessary API usage, or surprising behavior.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The manifest description and triggers are entirely Chinese-language, with no documented locale scoping or user-choice mechanism. This can cause incorrect activation behavior, exclusion of non-Chinese users, or unintended routing if the hosting system does not explicitly bind the skill to a Chinese locale.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad enough to overlap with ordinary user requests about design or image generation, which can cause the skill to activate unexpectedly. In a skill that sends prompts and other user-supplied content to an external API, overbroad activation increases the chance of unintended data disclosure or unapproved third-party processing.

External Transmission

Medium
Category
Data Exfiltration
Content
- `template_id`: 模板 ID(如果适用)

### 第三步:调用 API
使用以下 curl 命令模板:

```bash
curl -X POST https://api.lovart.ai/v1/design/generate \
Confidence
91% confidence
Finding
curl 命令模板: ```bash curl -X POST https://api.lovart.ai/v1/design/generate \ -H "Authorization: Bearer $LOVART_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "prompt": "<优化后的提示词>",

External Transmission

Medium
Category
Data Exfiltration
Content
使用以下 curl 命令模板:

```bash
curl -X POST https://api.lovart.ai/v1/design/generate \
  -H "Authorization: Bearer $LOVART_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
89% confidence
Finding
https://api.lovart.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**你的执行**:
```bash
curl -X POST https://api.lovart.ai/v1/design/generate \
  -H "Authorization: Bearer $LOVART_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
https://api.lovart.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**你的执行**:
```bash
curl -X POST https://api.lovart.ai/v1/design/generate \
  -H "Authorization: Bearer $LOVART_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
https://api.lovart.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
**你的执行**:
```bash
curl -X POST https://api.lovart.ai/v1/design/generate \
  -H "Authorization: Bearer $LOVART_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
https://api.lovart.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal