ClawHub

Clawra Selfie

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but it can generate images and send them to external channels from overly broad chat prompts without a clear confirmation step.

Install only if you are comfortable with this skill sending prompt text to image-generation providers and posting generated images through configured OpenClaw channels. Require explicit user intent and destination confirmation before sending, use separate scoped API keys, avoid real-person reference images without consent, and inspect or pin the remote installer if you do not install through ClawHub.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README instructs users to configure third-party API keys and send image-generation requests to external providers, but it does not clearly warn that prompts, reference images, and related metadata may be transmitted off-system to DashScope, Hugging Face, or Gemini. In this skill’s context, that matters because the workflow explicitly uses personal selfie/reference images and persona data, increasing the privacy sensitivity of the transmitted content.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation such as 'what are you doing?' or 'how are you doing?', which could invoke image generation and message sending without clear user intent. Because the skill can use shell tooling and send content to external messaging channels, accidental activation can cause privacy issues, unwanted external actions, and unnecessary API usage or cost.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documentation references specific local face-image paths and instructs the agent to treat any existing file there as an 'official face anchor' without any visible consent, provenance, or user-notice controls. This creates a privacy and data-governance risk: personal image data could be silently incorporated into generated content, and the disclosed absolute paths reveal local environment structure that need not be exposed in the skill manifest.

External Transmission

Medium
Category
Data Exfiltration
Content
QWEN_RESULT_JSON="$WORKDIR/qwen-result.json"
  jq -n --arg model "$QWEN_IMAGE_MODEL" --arg prompt "$FINAL_PROMPT" '{model:$model,input:{prompt:$prompt},parameters:{size:"1024*1024"}}' > "$QWEN_REQ_JSON"
  log_info "Trying Qwen image model: $QWEN_IMAGE_MODEL"
  QWEN_HTTP_CODE=$(curl -sS \
    -o "$QWEN_RESP_JSON" \
    -w '%{http_code}' \
    -X POST "https://dashscope.aliyuncs.com/api/v1/services/aigc/text2image/image-synthesis" \
Confidence
91% confidence
Finding
curl -sS \ -o "$QWEN_RESP_JSON" \ -w '%{http_code}' \ -X POST "https://dashscope.aliyuncs.com/api/v1/services/aigc/text2image/image-synthesis" \ -H "Authorization: Bearer $QWEN_API_KEY

External Transmission

Medium
Category
Data Exfiltration
Content
GEMINI_PAYLOAD="$WORKDIR/gemini-payload.json"
  jq -n --arg text "$FINAL_PROMPT" '{contents:[{parts:[{text:$text}]}], generationConfig:{responseModalities:["TEXT","IMAGE"]}}' > "$GEMINI_PAYLOAD"
  log_info "Trying Gemini image model: $GEMINI_IMAGE_MODEL"
  GEMINI_HTTP_CODE=$(curl -sS \
    -o "$GEMINI_RESP_JSON" \
    -w '%{http_code}' \
    -X POST "https://generativelanguage.googleapis.com/v1beta/models/${GEMINI_IMAGE_MODEL}:generateContent?key=${GEMINI_API_KEY}" \
Confidence
91% confidence
Finding
curl -sS \ -o "$GEMINI_RESP_JSON" \ -w '%{http_code}' \ -X POST "https://generativelanguage.googleapis.com/v1beta/models/${GEMINI_IMAGE_MODEL}:generateContent?key=${GEMINI_API_KEY}" \

External Transmission

Medium
Category
Data Exfiltration
Content
RESP_HEADERS="$WORKDIR/headers.txt"
  IMAGE_PATH="$WORKDIR/output.bin"
  HF_HTTP_CODE=$(curl -sS \
    -D "$RESP_HEADERS" \
    -o "$IMAGE_PATH" \
    -w '%{http_code}' \
Confidence
94% confidence
Finding
curl -sS \ -D "$RESP_HEADERS" \ -o "$IMAGE_PATH" \ -w '%{http_code}' \ -X POST "$HF_API_BASE/${HF_IMAGE_MODEL:-black-forest-labs/FLUX.1-schnell}" \ -H "Authorization: Bearer $HF_TO

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal