ClawHub

Color Palette Generator

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated purpose: it runs a local image-processing script to extract color palettes, with no evidence of hidden data access, persistence, or exfiltration.

Install only if you are comfortable with the agent running a local Python script on images you provide and writing an optional swatch file. For stricter security, pin and keep Pillow updated, process only trusted or sandboxed images, and avoid ambiguous file paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill instructs the agent to run the script directly for broadly defined image-related requests and explicitly says not to ask for confirmation. In an agent with `shell:exec`, broad auto-invocation increases the chance of unintended execution on untrusted or attacker-supplied files, which expands the attack surface and can chain with any weaknesses in downstream image parsers, path handling, or shell command construction.

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow
colorgram.py
matplotlib
Confidence
97% confidence
Finding
Pillow

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow
colorgram.py
matplotlib
Confidence
93% confidence
Finding
matplotlib

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
Pillow

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal