ClawHub

fal.ai

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a fal.ai connector, but its read-oriented description is inconsistent with a documented account-changing queue cancellation action.

Review before installing. This does not look malicious from the available evidence, but users should understand that it can cancel fal.ai queue requests, not just search or read data. Install only if you want the agent to use this connector for fal.ai account operations, and require explicit confirmation before any cancellation or other state-changing action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest description says the skill is for 'searching and reading data,' but the documented action set includes a mutating operation, `cancel_queue_request`. This mismatch can mislead users or upstream agents into invoking the skill under a read-only assumption, increasing the chance of unintended state-changing actions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file creates inconsistent expectations: the manifest markets the skill as read/search-only, while the action list and safety section acknowledge state-changing behavior. In agentic environments, this kind of contract mismatch is dangerous because orchestration logic may grant or auto-select the skill based on the weaker, read-only description.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The instruction to use this skill for 'ANY fal.ai request' is overly broad and can cause the skill to be selected for tasks beyond simple retrieval, including sensitive or state-changing operations. Combined with the misleading read-only description, this broad trigger increases the chance of unintended invocation and misuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal