ClawHub

dmxapi-image-generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward DMXAPI image generation and editing helper, with expected external API use and local output behavior disclosed enough for its purpose.

Install only if you trust DMXAPI and the `dmxapi-cli` npm package. Use a dedicated revocable API key, watch quota or billing, choose output directories deliberately, and avoid submitting private images or confidential prompts unless DMXAPI's data handling is acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is very broad and can match many generic image-related requests, increasing the chance the agent invokes this skill when the user did not explicitly intend to use an external image-generation service. In this context, over-broad activation is risky because the skill can transmit prompts and optionally local images to a remote API and save outputs locally, so misrouting user requests can cause unintended data disclosure or side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs use of a network-backed CLI and local file output but does not explicitly warn that prompts, optional input images, and search queries may be transmitted to DMXAPI or downstream model providers, nor that generated files will be written to disk. In an image-editing skill, this omission is materially dangerous because users may supply sensitive local images or confidential prompts without informed consent, leading to privacy leakage and unexpected persistence of data on the local system.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal