ClawHub

article-images-gen

Security checks across malware telemetry and agentic risk

Overview

This is a real article illustration tool, but it rewrites article files and can turn crafted article or prompt text into local shell command execution.

Install only if you trust the articles and prompt files you will process, and keep your articles under version control or backed up because the tool edits them in place. Avoid using it on untrusted Markdown until the opencli calls are changed from shell strings to argument-array execution and the article update behavior is made explicitly opt-in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill invokes external image-generation services through `opencli gemini image` and `opencli grok image`, which implies network-capable behavior, but the skill metadata does not declare permissions or clearly surface that external services will be contacted. This weakens reviewability and informed consent, especially because article contents may be transmitted to third-party services during prompt generation or image creation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose suggests simple illustration generation, but the documented workflow also analyzes local article content, writes multiple files, modifies the original article by inserting Markdown image references, and creates backups. This broader behavior increases the attack surface and can surprise users with local file changes and external data exposure beyond what the short description implies.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script edits the original article in place by inserting image markdown after headings and only creates a best-effort timestamped backup first. That behavior exceeds a pure illustration-generation role and can unexpectedly alter user content, which is risky in agent/tooling contexts where users may expect read-only processing of source material.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The updateArticleWithImages routine rewrites the article body by scanning headings and injecting markdown, giving the skill content-modification capability beyond just creating illustrations. In an agent setting, this broadens the blast radius from asset generation to source-document mutation, which can corrupt documents, introduce unintended changes, or be abused when pointed at sensitive files.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill exposes a generic remote download primitive via `downloadImage(url, outputPath)` that can fetch arbitrary URLs and save them locally. In an article-illustration skill, this capability is broader than necessary and can be abused for SSRF-style access to internal services or for retrieving untrusted content to local storage, especially because there is no hostname, scheme, content-type, or size validation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown states the workflow will automatically update the article by inserting image references, but it does not present a prominent warning or confirmation step before modifying user files. Automatic content mutation is risky because it can overwrite intended formatting, corrupt documents, or make irreversible changes if backups fail or are overlooked.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function writes downloaded remote content to a caller-controlled `outputPath` after only creating parent directories, with no path restriction or safety checks. This enables arbitrary file write within the process permissions and, combined with attacker-controlled URLs, could overwrite application files, place payloads in sensitive locations, or persist untrusted data in unexpected paths.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal