ClawHub

Image Generation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation guidance skill that discloses its provider API use and local preference memory, with no evidence of hidden, destructive, or deceptive behavior.

Install only if you are comfortable sending prompts and any reference images to the selected image provider. Keep API keys in environment variables or the platform secret config, do not paste secrets into chat, and periodically review or delete ~/image-generation/memory.md if it contains sensitive project context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill instructs users to send prompts and an API key to Ideogram's external API but provides no user-facing disclosure that prompts and related data leave the local environment. In an agent skill context, prompts may contain sensitive user data, so the omission can lead to unintended third-party data exposure even though the example itself is a normal API integration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructions create a persistent local workspace and copy a memory file without telling the user that session-derived data will be stored on disk. In an agent skill context, silent persistence can expose prompts, preferences, project details, or other sensitive workflow information to other local users, backups, or later unintended reuse.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The memory update instructions direct the agent to persist information from meaningful sessions, including successful prompt patterns and ongoing project style constraints, but do not warn that interaction details may be retained across sessions. This creates a privacy risk because user inputs and work context may be silently accumulated and reused without informed consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes very generic phrases such as 'generate image', 'image generation', and common product terms, which can cause the skill to activate for ordinary user requests that may not explicitly intend to invoke this specific skill. Over-broad activation increases the chance of unintended tool execution, accidental API usage, and routing sensitive prompts or data into external image providers without clear user intent.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal