SoloSmart Generate Image

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate SoloSmart image-generation plugin, but prompts and the configured API key are sent to the SoloSmart service.

Install only if you trust SoloSmart and are comfortable sending image prompts to the configured SoloSmart API. Do not include secrets, regulated data, or confidential business details in prompts unless your organization approves that data sharing.

Publisher note

init

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly documents sending user prompts and an API key to an external SoloSmart service, but it does not clearly warn users that their inputs will leave the local OpenClaw environment and be processed by a third party. In an agent/plugin context, this can cause unintended disclosure of sensitive prompts, secrets, or regulated data if users assume the tool is local-only.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The tool transmits the user-provided prompt directly to an external SoloSmart API, but the skill code provides no disclosure, consent mechanism, or minimization controls before sending potentially sensitive user text off-platform. In an agent/plugin context, prompts may contain confidential data, making this a real privacy and data-handling risk even if the functionality is expected.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal