ClawHub
Back to plugin

Security audit

GrowthCircle.id Provider

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real GrowthCircle.id model provider, but generated-image handling downloads provider-returned URLs without clear host, scheme, or size limits.

Install only if you are comfortable sending model prompts and image-generation requests to GrowthCircle.id. Avoid using it with sensitive data until the image URL download path is constrained to trusted HTTPS hosts with size and content checks, and developers should update or avoid the flagged Vitest dev tooling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest configures a third-party remote inference and image-generation provider using an API key, but the visible metadata does not disclose that user prompts and images are transmitted to an external service. This creates a privacy and consent risk because users may unknowingly send sensitive data to ai.growthcircle.id, especially given the broad text and image model catalog.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The plugin fetches provider-supplied image URLs directly with no hostname allowlist, scheme restriction, or size/content validation. If the upstream service or its responses are compromised, this creates an SSRF-style primitive and can also cause unexpected outbound requests or large downloads from attacker-controlled URLs within the agent runtime.

Known Vulnerable Dependency: vitest==3.2.4 — 1 advisory(ies): CVE-2026-47429 (When Vitest UI server is listening, arbitrary file can be read and executed)

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
vitest==3.2.4

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal