ClawHub

openlens-skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it handles prompts, media, API keys, and saved outputs with enough under-disclosed and overbroad behavior that users should review it carefully before installing.

Install only if you trust the configured API provider and are comfortable sending prompts, uploaded media, local file contents, and bearer API keys to that provider. Rotate the bundled API key if it is real, avoid sensitive prompts or files, prefer trusted HTTPS endpoints, review where outputs are saved, and do not expose the Streamlit app on a network without adding URL validation and clearer credential handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Tainted flow: 'image_url' from requests.post (line 275, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
resp = requests.post(url, headers=_headers(api_key), json=payload, timeout=60)
    resp.raise_for_status()
    image_url = resp.json()["data"][0]["url"]
    return requests.get(image_url, timeout=60).content


def submit_video_task(base_url: str, api_key: str, model: str,
Confidence
94% confidence
Finding
return requests.get(image_url, timeout=60).content

Tainted flow: 'video_url' from requests.get (line 327, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
or (data.get("videos") or [{}])[0].get("video_url")
                    or data.get("output", {}).get("url")
                )
                return requests.get(video_url, timeout=120).content
            if status in ("FAILED", "ERROR", "CANCELLED"):
                raise RuntimeError(f"Task failed with status: {status}")
            time.sleep(5)
Confidence
95% confidence
Finding
return requests.get(video_url, timeout=120).content

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The UI claims 'No API Keys stored', but the application stores API keys in Streamlit session_state for the duration of the session. Even if they are not persisted to disk, this is still storage in memory and creates a misleading security assurance that can cause users to trust the app with sensitive credentials under false assumptions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The Chinese footer repeats the same misleading claim that API keys are not stored, while the code keeps them in session_state during runtime. This can mislead Chinese-speaking users into disclosing secrets without understanding that the app retains them in memory for the active session.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The Japanese footer also states that API keys are not stored, but the program retains them in session_state while the app is running. This is a deceptive or inaccurate privacy statement that increases the risk of unsafe credential handling by users.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The module docstring claims 'no content filtering, pure pass-through,' but the code can materially alter user input via the optional prompt refinement flow before transmission. This is a transparency and trust issue: operators may believe the tool sends prompts unchanged when it can rewrite them, which can lead to unsafe or policy-violating output being generated under false assumptions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The release notes explicitly show use of a third-party API endpoint and describe automatic local saving of generated outputs, but they do not clearly warn users that prompts and possibly user-supplied media are transmitted off-host and that files are persisted to disk by default. In a media-generation skill, this omission can lead to unintended disclosure of sensitive prompts, images, or videos and unexpected retention of generated content on the local system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes sending prompts, image URLs, and API credentials to external video and text APIs, but it does not warn users that their inputs and secrets will be transmitted off-box to third-party services. This creates privacy and credential-handling risk because users may unknowingly expose sensitive prompts, URLs, or API endpoints/keys to external systems.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The documentation advertises automatic local saving/downloading of generated videos but does not clearly warn users that files will be written to disk automatically. This can lead to unexpected storage of sensitive or policy-violating content on the local machine, especially in shared environments or automated workflows.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The skill openly promotes bypassing content filtering restrictions and emphasizes being a pass-through with no safety middleware. In the context of AI video generation, this materially increases the likelihood of misuse to generate harmful, abusive, or policy-violating content and signals deliberate removal of protective controls rather than an accidental omission.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The app sends prompts, uploaded media, and API credentials to a user-configurable external endpoint without a clear, explicit warning about data disclosure or trust implications. Because the base URL is arbitrary, users can unintentionally transmit sensitive text, images, videos, and bearer tokens to an untrusted third party or attacker-controlled server.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
Advertising 'no content filtering' and 'pure pass-through' is risky in a skill that brokers user prompts to external AI generation APIs. In context, this signals deliberate absence of safety controls for potentially abusive or prohibited content and may encourage misuse, while also conflicting with the actual rewrite behavior in the code.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file contains hardcoded API keys in plaintext configuration, which is a direct secret exposure. Anyone who can read the repository, package, logs, or deployed files can reuse these credentials to access the external service, incur charges, impersonate the application, or access associated data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The interface sends prompts and uploaded images/videos to externally configured APIs but does not present a clear user-facing disclosure or consent step about data sharing. Because this app explicitly supports arbitrary base URLs, users may unknowingly transmit sensitive content and API credentials to third parties.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs `git push` and `clawhub publish` automatically with no confirmation, dry-run mode, or environment guard. In an agent or automated execution context, this can cause unintended external side effects such as publishing unreviewed code, leaking repository contents, or pushing to the wrong remote if the local checkout or remote configuration is not what the operator expects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The callable API path accepts local image_path and video_path values and uploads those files to a remote endpoint without an explicit consent check or strong disclosure at invocation time. In an agent setting, this can cause unintended exfiltration of sensitive local media if another component passes sensitive paths or if the user does not realize the skill performs remote uploads.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Prompts and system prompts are transmitted to external chat and generation endpoints, but the callable API does not prominently disclose that sensitive textual content may leave the local environment. In agent workflows, prompts can contain secrets, internal instructions, or proprietary data, so silent transmission to third-party services creates a real confidentiality risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The tool description is broad enough that an agent may invoke it in response to loosely related user requests involving image/video generation or text generation. Because the tool also accepts arbitrary URLs and API keys and writes files locally, unintended activation could trigger external network requests and local file creation without sufficiently explicit user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest explicitly supports sending prompts and bearer API keys to external endpoints and saving generated files locally, but it does not provide a prominent warning about these sensitive side effects. In an agent setting, this increases the risk of silent data exfiltration to third-party services and unexpected persistence of potentially sensitive content on the local filesystem.

External Transmission

Medium
Category
Data Exfiltration
Content
```python
# 生成猫咪玩耍视频
result = run_openlens_task(
    url="https://api.onlypixai.com/v1",
    api_key="sk-px-xxxxxxxx",
    model_id="video/wan2.6-t2v",
    prompt="Two cats playing on grass, sunny day, realistic",
Confidence
97% confidence
Finding
https://api.onlypixai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
"properties": {
      "url": {
        "type": "string",
        "description": "API base URL, e.g. https://api.onlypixai.com/v1"
      },
      "api_key": {
        "type": "string",
Confidence
92% confidence
Finding
https://api.onlypixai.com/

Unpinned Dependencies

Low
Category
Supply Chain
Content
streamlit>=1.28.0
requests>=2.31.0
Confidence
93% confidence
Finding
streamlit>=1.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
streamlit>=1.28.0
requests>=2.31.0
Confidence
93% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: streamlit — 8 advisory(ies): CVE-2026-33682 (Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Expo); GHSA-8qw9-gf7w-42x5 (Minor fix to previous patch for CVE-2022-35918); CVE-2023-27494 (Streamlit publishes previously-patched Cross-site Scripting vulnerability) +5 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
streamlit

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal