ClawHub

moonshot skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real multimodal API helper, but it needs review because it can upload images, documents, and chat text to an external service with weak disclosure and broad triggers.

Install only if you are comfortable sending chosen images, documents, OCR content, prompts, and chat messages to the configured external API provider. Use a dedicated API key, avoid sensitive or regulated files unless approved, install dependencies in an isolated environment, and confirm the skill is intentionally invoked before using image or OCR features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The config command prints a partially masked API key to the terminal, which still exposes credential material unnecessarily. Even partial disclosure can aid shoulder-surfing, screen capture leakage, log collection, or correlation with other leaked data, and this disclosure is not needed for an image/OCR/chat CLI to function.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to configure an external API key and use image analysis/OCR features that necessarily transmit images and extracted text to a remote service, but it does not clearly warn users that potentially sensitive images, documents, or OCR-derived content may leave the local environment. Because this skill is explicitly marketed for OCR and multimodal document/image processing, users may unknowingly submit personal, confidential, or regulated data to a third party, creating privacy, compliance, and data-governance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Displaying even a truncated API key to users without warning increases the chance that secrets are exposed through terminal history, screenshots, shared sessions, or CI logs. The skill's purpose does not justify revealing any part of the credential, so this is an avoidable secret-handling weakness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The image analysis function base64-encodes local images and sends them to a remote chat/completions endpoint, but the code provides no explicit user disclosure, consent prompt, or data-handling notice before transmission. Because images may contain sensitive personal, business, or regulated information, silent upload to an external API creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The OCR feature uploads the entire image to an external model API in order to extract text, again without warning the caller that local image contents will leave the host environment. OCR use is especially sensitive because images often contain IDs, invoices, credentials, addresses, or other high-value text that can be exposed to third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The conversation method accepts an image attachment, encodes it, and includes it in the request sent to the remote model API without explicit disclosure. In an interactive chat context this is easy for users to overlook, increasing the chance that sensitive screenshots, documents, or photos are unintentionally exfiltrated to a third-party service.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very broad and incomplete phrases such as "用 ", "文案创作", and other generic commands that can match ordinary user requests unrelated to this specific skill. This increases the chance of unintended invocation, causing the skill to activate in the wrong context and potentially send user content or images to the configured external API without clear user intent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The example passes a local image path into a client API for copywriting generation without any notice that the image may be uploaded to a remote model service. In practice, users often replace placeholder paths with real product, internal, or personal images, so the sample normalizes sending potentially sensitive local content off-device without informed consent or data-handling guidance.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The interactive conversation example sends detailed business and product information to the model service with no disclosure that prompts and follow-up edits may leave the local environment. This can lead users to paste proprietary marketing plans, customer details, or other sensitive content into a remote conversation channel without understanding retention, logging, or third-party processing risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example sends a local image path to an image-analysis client without any explicit notice that the image contents may be uploaded to a remote model service. This can cause users to unknowingly transmit sensitive local images, which is a real privacy and data-handling risk even though the code is only an example.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The batch-processing example iterates over multiple local image files and analyzes each one without warning that every file may be sent to an external service. In batch mode, the privacy risk is amplified because users may unintentionally upload several sensitive images at once.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The example writes extracted OCR text from potentially sensitive documents directly to a local file without warning, consent flow, or any mention of retention implications. In an OCR/document-processing context, extracted text may contain personal, financial, medical, or confidential business data, so silent persistence increases the chance of unintended disclosure through local access, backups, sync tools, or later reuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The batch example automatically creates an output directory and stores OCR results for multiple documents, amplifying the privacy risk because it persists potentially sensitive contents at scale. In this skill context, batch OCR is more dangerous than a single save because users may process large document sets containing regulated or confidential information, increasing the blast radius of accidental exposure.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad, generic terms such as image analysis, OCR, and copywriting that are likely to match normal user requests unrelated to this specific skill. This can cause unintended activation and route user content, including images or documents, to the skill unexpectedly, increasing the chance of privacy, consent, and data-handling issues.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill describes OCR, image analysis, and document parsing but does not clearly warn users that uploaded images and extracted text will be transmitted to an external third-party API for processing. In this context, the omission is security-relevant because users may unknowingly send sensitive screenshots, IDs, contracts, or other confidential documents off-platform without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal