ClawHub

Guishu GPT Image 2

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation skill that discloses its third-party API use and saves generated outputs locally, with privacy and endpoint-choice cautions.

Install this only if you intend to use the Guishu Token image API. Use a dedicated API key, avoid sensitive prompts, review generated request logs before sharing the output folder, and do not use a custom endpoint unless you trust it to receive your prompts and bearer token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation indicates capabilities to read environment variables, write files, and send network requests, but it does not declare permissions or provide explicit scoping. This creates a transparency and governance gap: users or orchestrators may invoke a skill that can exfiltrate secrets or perform filesystem/network actions without clear disclosure or policy controls.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation description is overly broad and includes generic phrases like image generation, demos, gallery creation, and local output, which can cause the skill to trigger in situations beyond a user's specific intent. Over-broad routing increases the chance that sensitive prompts, local files, or API-backed actions are sent to this third-party workflow unnecessarily.

External Transmission

Medium
Category
Data Exfiltration
Content
---
name: guishu-gpt-image-2
description: Generate images with Guishu Token gpt-image-2 through the OpenAI-compatible images endpoint. Use when the user wants Guishu gpt-image-2 image generation, an OpenClaw image skill, scripted image creation, local image output, prompt-to-image tests, customer demos, or a gallery of generated images through https://api.llm-token.cn/v1/images/generations.
---

# Guishu GPT Image 2
Confidence
87% confidence
Finding
https://api.llm-token.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
# Custom endpoint if the gateway changes.
python3 {baseDir}/scripts/generate.py \
  --endpoint https://api.llm-token.cn/v1/images/generations \
  --model gpt-image-2 \
  --prompt "minimal app icon, white background"
```
Confidence
83% confidence
Finding
https://api.llm-token.cn/

VirusTotal

2/64 vendors flagged this skill as malicious, and 62/64 flagged it as clean.

View on VirusTotal