Back to skill

Security audit

ai-image-generation

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward instruction-only image-generation skill that sends image prompts and image URLs to the SkillBoss API using a user-provided API key.

Install this only if you trust SkillBoss with image prompts, referenced image URLs, and generated outputs. Use a limited API key where possible, avoid secrets or sensitive personal/business data in prompts or private image URLs, and verify the GitHub repository if installing manually instead of through ClawHub.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest includes many broad trigger phrases such as generic image-generation and AI-art terms, which can cause the skill to activate for ordinary user requests without clear user intent. This increases the chance that prompts or image URLs are routed to the external SkillBoss service unexpectedly, creating privacy and consent risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation does not clearly warn users that their prompts and any supplied image URLs are transmitted to a third-party API. Because prompts and URLs can contain sensitive business data, personal information, or private image locations, sending them externally without prominent disclosure undermines informed consent and data-handling expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.