Security audit

ai-image-generation

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward instruction-only image-generation skill that sends image prompts and image URLs to the SkillBoss API using a user-provided API key.

Install this only if you trust SkillBoss with image prompts, referenced image URLs, and generated outputs. Use a limited API key where possible, avoid secrets or sensitive personal/business data in prompts or private image URLs, and verify the GitHub repository if installing manually instead of through ClawHub.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest includes many broad trigger phrases such as generic image-generation and AI-art terms, which can cause the skill to activate for ordinary user requests without clear user intent. This increases the chance that prompts or image URLs are routed to the external SkillBoss service unexpectedly, creating privacy and consent risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation does not clearly warn users that their prompts and any supplied image URLs are transmitted to a third-party API. Because prompts and URLs can contain sensitive business data, personal information, or private image locations, sending them externally without prominent disclosure undermines informed consent and data-handling expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.