ClawHub

Draw Images By Apiyi

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates images through APIYI and saves them locally, but users should understand that prompts go to an external service and output paths should be chosen carefully.

Install only if you are comfortable using APIYI with an APIYI_API_KEY and sending image prompts to that third-party service. Prefer explicit slash-command invocation, use workspace-relative filenames, and do not put secrets, personal data, or confidential business information in prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no explicit permissions even though its documented behavior clearly requires reading an API key from the environment and sending prompts over the network to a third-party service. This creates a transparency and policy gap: users and hosting frameworks may not realize the skill can access secrets and exfiltrate prompt data externally.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The natural-language examples are so broad that ordinary user requests like 'Draw a cute cat for me' may trigger this skill implicitly. That increases the chance of unintentional invocation, causing user prompts to be sent to an external API without clear consent or awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes image generation but does not clearly warn that prompts and related request data are transmitted to the external APIYI service. Users may unknowingly share sensitive or proprietary content with a third party, creating privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal