ClawHub

Cheapest Image

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises: it sends image prompts to EvoLink using a disclosed API key and saves the generated image locally.

Install only if you are comfortable sending prompts to EvoLink and using an EvoLink API key that may consume paid credits. Prefer the Python script or PowerShell fallback; if using the curl example, JSON-escape prompt text or avoid prompts containing quotes/control characters. Do not include secrets, personal data, or confidential material in image prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill uses both environment secrets and outbound network access, but does not explicitly declare permissions for those capabilities. That weakens user and platform visibility into what the skill can access, which is especially relevant because it sends requests to a third-party API using an API key. In this context the behavior appears aligned with the skill’s stated purpose, so the issue is transparency and permission governance rather than hidden malicious behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to pass arbitrary prompts to an external image-generation API but does not clearly warn that prompt contents leave the local environment and are transmitted to a third party. Users may include sensitive, proprietary, or personal data in prompts, assuming the skill is local-only. Because the core trigger behavior is to immediately send colon-suffixed text as the prompt, the risk of inadvertent disclosure is higher.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal