ClawHub

ModelScope AI Image Generator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends prompts to ModelScope to generate images, with some credential-handling and hardening cautions users should understand.

Install only if you are comfortable sending image prompts and model settings to ModelScope and using a ModelScope API key. Prefer an environment variable or a secure secret store instead of --api-key on the command line or --save-key, and check the output path because the generated image can overwrite an existing file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (5)

Tainted flow: 'image_url' from requests.get (line 120, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
image_url = data["output_images"][0]
            print(f"下载图片: {image_url}")
            
            img_resp = requests.get(image_url)
            img_resp.raise_for_status()
            
            image = Image.open(BytesIO(img_resp.content))
Confidence
92% confidence
Finding
img_resp = requests.get(image_url)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill documentation indicates capabilities to access environment variables, read and write files, invoke shell commands, and perform network requests, yet no explicit permissions are declared. This creates a trust and review gap: users and platforms may authorize or invoke the skill without understanding that it can handle secrets such as API keys and persist them locally, increasing the chance of unintended credential exposure or broader system access.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script can persist API keys in a plaintext file under the user's home directory, which broadens the skill's capability from transient image generation to credential storage. On multi-user systems, backup/sync tools, or environments with weak filesystem protections, this increases the chance of secret disclosure.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger text is very broad, covering generic requests like 'generate image' and '画图', which can cause the skill to activate in many ordinary image-related conversations outside a clearly scoped ModelScope context. Over-broad activation can lead to unintended network calls, accidental use of stored credentials, and unexpected handling of user prompts by an external service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to pass the API key on the command line or save it to a local config file, but gives no warning about the sensitivity of credentials, file permissions, command history exposure, or secure storage expectations. In practice, this can leak secrets through shell history, process listings, backups, or world-readable files, especially on shared systems.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal