ClawHub

seedream5.0 lite

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent image-generation CLI that sends prompts and optional reference images to Redfox/Volcano Ark, with no evidence of hidden execution or malicious behavior.

Install only if you are comfortable sending prompts, task metadata, and any reference images you choose to Redfox and its upstream image provider. Do not use confidential, regulated, or personal images unless you have reviewed the provider's privacy and retention terms, and prefer your own revocable API key over the shared public key for ongoing use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes automatic upload of reference images, prompt submission, task polling, and image download, but it does not clearly disclose that user prompts and uploaded images are transmitted to an external third-party service for processing. This creates a real privacy and data-handling risk because users may unknowingly send sensitive images, proprietary content, or confidential prompts off-device.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill promotes zero-config image generation but does not clearly warn that prompts, reference images, and generated image data are transmitted to redfox.hk and downstream model providers. Users may unknowingly send sensitive business data, personal images, or confidential prompts to third parties.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The image-to-image workflow states that local files are automatically uploaded to OSS, but it does not present this as a user warning or privacy/security risk. This can expose private local photos or sensitive internal images to remote storage without sufficiently explicit consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal