ClawHub

Clawy

Security checks across malware telemetry and agentic risk

Overview

Clawy is a disclosed image-generation skill that uses external providers as expected, with privacy and hardening cautions but no evidence of hidden or destructive behavior.

Install only if you are comfortable sending selected reference images and prompts to the chosen image provider. Use a dedicated API key where possible, avoid sensitive local file paths as custom images, leave base URL overrides unset unless you trust the endpoint, and expect the helper to download and write a fallback mother image if the local asset is missing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def openai_direct_generate(mother_path: Path, prompt: str) -> bytes:
    api_key = os.environ["OPENAI_API_KEY"]
    url = OPENAI_BASE_URL.rstrip("/") + "/images/edits"
    out = subprocess.check_output([
        "curl", "-sS", "-X", "POST", url,
        "-H", f"Authorization: Bearer {api_key}",
        "-F", "model=gpt-image-1",
Confidence
86% confidence
Finding
out = subprocess.check_output([ "curl", "-sS", "-X", "POST", url, "-H", f"Authorization: Bearer {api_key}", "-F", "model=gpt-image-1", "-F", f"prompt={prompt}",

Tainted flow: 'url' from os.environ.get (line 294, credential/environment) → subprocess.check_output (code execution)

Medium
Category
Data Flow
Content
def openai_direct_generate(mother_path: Path, prompt: str) -> bytes:
    api_key = os.environ["OPENAI_API_KEY"]
    url = OPENAI_BASE_URL.rstrip("/") + "/images/edits"
    out = subprocess.check_output([
        "curl", "-sS", "-X", "POST", url,
        "-H", f"Authorization: Bearer {api_key}",
        "-F", "model=gpt-image-1",
Confidence
89% confidence
Finding
out = subprocess.check_output([ "curl", "-sS", "-X", "POST", url, "-H", f"Authorization: Bearer {api_key}", "-F", "model=gpt-image-1", "-F", f"prompt={prompt}",

Tainted flow: 'req' from os.environ (line 207, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={**headers, "Content-Type": "application/json"},
        method=method,
    )
    with urllib.request.urlopen(req, timeout=timeout) as r:
        return json.loads(r.read().decode())
Confidence
87% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as r:

Tainted flow: 'req' from os.environ (line 207, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
def http_get_bytes(url: str, headers: Optional[dict] = None, timeout: int = 180) -> bytes:
    req = urllib.request.Request(url, headers=headers or {})
    with urllib.request.urlopen(req, timeout=timeout) as r:
        return r.read()
Confidence
78% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout) as r:

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises environment access requirements but does not declare explicit permissions while its documented/bundled behavior implies env, file read/write, network, and shell-capable script execution. This creates a trust and review gap: hosts may invoke or approve the skill without clearly understanding its effective privileges, increasing the risk of unintended data access, external transmission of images, or filesystem modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented behavior says images are only sent externally when generation is invoked, yet the skill also states it may download a fallback mother image from an external website if a local asset is missing. That mismatch weakens operator and user consent expectations and introduces unadvertised network behavior and supply-chain risk from an unauthenticated remote asset source.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uploads the supplied or default source image to external image-generation providers, but the CLI itself does not present a clear just-in-time disclosure or confirmation before transmission. In an agent skill, users may reasonably assume local processing unless the tool explicitly warns that their images are sent to third parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal