ClawHub

美女图片生成器

Security checks across malware telemetry and agentic risk

Overview

This portrait-generation skill is not malware, but it uses a local quota lockout that can direct users to an external WeChat/social-promotion unlock path.

Review before installing. Expect the skill to run a local Python usage counter and store small quota state in your home directory; after the quota is exhausted, it may refuse to generate images and display an off-platform WeChat/social-sharing unlock message. Avoid following external payment, contact, or promotional instructions unless you trust the publisher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes local scripts and relies on reading reference files and persisting usage state, but does not declare those capabilities. Hidden file read/write behavior undermines least-privilege review and can surprise users or platform operators, especially when state is written outside the visible skill description. In this context the behavior appears tied to metering rather than direct code execution abuse, but the undeclared filesystem access is still a real security and transparency issue.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill's stated purpose is image-generation assistance, but the workflow also enforces local usage limits, writes persistent counters, supports resets, and surfaces promotional contact messaging. This mismatch is dangerous because reviewers and users may approve a seemingly simple content skill without realizing it performs hidden monetization/control logic and off-platform funneling. The context makes it more concerning because the undisclosed statefulness and lockout behavior are unrelated to the advertised core function.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The embedded WeChat/contact and public-account promotion is unrelated to portrait generation and attempts to move users off-platform. Off-platform redirection can enable phishing, payment evasion, social engineering, or unreviewed support channels, even if the text is framed as ordinary promotion. Here it is not directly exploit code, but it creates trust and policy risk with little legitimate need inside the skill.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script implements a hidden local quota/paywall mechanism that is unrelated to the stated portrait-generation functionality and can degrade or deny expected skill behavior after an arbitrary number of uses. In this context, the gating is especially suspicious because it is paired with off-platform unlock instructions, indicating intentional coercive monetization or traffic diversion rather than a necessary security or safety control.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The hard-coded message advertises an external contact and instructs users to perform off-platform actions to regain access, which is unrelated to the declared skill purpose. This creates social-engineering risk, can funnel users to untrusted channels, and is made more dangerous by being embedded directly in functionality that blocks use of the skill.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The flow hard-requires Chinese response patterns and does not offer any user language choice, fallback, or documented locale restriction. This can exclude users, cause misunderstandings of prompts or consent/confirmation steps, and increase the chance of incorrect image-generation requests being carried out due to language mismatch.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal