ClawHub
Back to skill

Security audit

tl-aliyun-image-generator

Security checks across malware telemetry and agentic risk

Overview

This image-generation skill appears to perform its advertised task, but it asks users to paste an Aliyun API key into chat and stores it persistently in a local hidden file.

Install only if you are comfortable giving this skill an Aliyun API key through chat and having it saved in the skill directory. Use a limited and revocable key, monitor Aliyun usage, remove scripts/.aliyun_key when done, and consider preinstalling/pinning requests yourself if you do not want the skill to run pip during normal use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import requests
    except ImportError:
        print("正在自动安装必要的依赖 (requests)...")
        subprocess.check_call([sys.executable, "-m", "pip", "install", "requests"], stdout=subprocess.DEVNULL,
                              stderr=subprocess.DEVNULL)
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "requests"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Tainted flow: 'image_url' from requests.get (line 88, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
return

        if image_url:
            img_data = requests.get(image_url).content
            download_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), "downloads")
            os.makedirs(download_dir, exist_ok=True)
            filename = f"generated_img_{int(time.time())}.png"
Confidence
84% confidence
Finding
img_data = requests.get(image_url).content

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes a local Python script, performs networked image generation, and writes files, yet declares no permissions. This mismatch undermines sandboxing and user/operator awareness, making the skill more dangerous because it can access shell, filesystem, and network capabilities without explicit disclosure or review gating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is image generation, but the behavior also includes credential persistence, local key management, dependency installation, and filesystem writes. Hidden or under-disclosed behaviors are dangerous because they expand the trust boundary: users may provide secrets or approve execution without realizing the skill stores credentials locally and modifies the environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to paste a raw API key into chat and says the agent will save it locally. Collecting secrets through conversation is risky because chat logs may be retained by the host platform, other skills, telemetry, or debugging tools, and the image-generation purpose does not require the agent to receive credentials through the conversational channel.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill persists a user-provided API key in a local hidden file even though its declared purpose is only to generate images on request. Storing long-lived secrets on disk increases the chance of credential theft by other local processes, later reuse without user awareness, and use outside the original conversational scope.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Auto-installing dependencies at runtime is unrelated to the advertised trigger-based image generation behavior and introduces a supply-chain and environment-tampering risk. A skill should not mutate its execution environment or fetch code during normal operation, especially without transparency or approval.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation tells users to provide their API key directly in chat without any warning about exposure in logs, transcripts, or third-party systems. Because secrets entered into chat are often visible beyond the immediate skill execution context, this creates a realistic credential disclosure path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Stating that the API key will be stored in a local hidden file without discussing file permissions, encryption, multi-user access, or storage location safety normalizes insecure credential handling. Hidden files are not secure storage and may be readable by other local users, backups, or malware.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs the user to paste an Alibaba Cloud API key directly into chat and says it will be permanently saved locally. Collecting secrets through chat greatly increases the risk of accidental logging, transcript exposure, reuse by other components, and unauthorized persistence on disk without informed consent or proper protection.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code writes the API key to a local hidden file without explicit warning, consent, encryption, or permission hardening. This is unsafe secret handling and may expose user credentials to other users, processes, backups, or later unintended reuse.

Ssd 3

Medium
Confidence
96% confidence
Finding
The README instructs users to hand a secret to the agent so it can persist the credential locally. This is dangerous because it encourages secret collection by the skill itself, increasing the chance of accidental disclosure through chat history, logging, or insecure local storage.

Ssd 3

Medium
Confidence
97% confidence
Finding
The example dialogue operationalizes the unsafe behavior by prompting for an sk- prefixed secret and confirming it has been stored. Concrete examples strongly encourage users to follow an insecure practice, making secret leakage more likely in real deployments.

Ssd 3

Medium
Confidence
94% confidence
Finding
The documentation says the API key will be retained locally after submission, but gives no assurance about encryption, permissions, or lifecycle management. Persistent local storage of secrets in an unspecified hidden file increases the blast radius of compromise on the host machine.

Ssd 3

High
Confidence
99% confidence
Finding
The instructions explicitly direct the user to submit a secret in chat and state that the Python script will automatically save it permanently to local storage for future use. In this skill context, that is especially risky because the secret is unrelated to ordinary prompt content and could be exposed through chat history, local compromise, or cross-skill access if the storage location is not isolated.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to ask the user for an API key through the chat flow and pass it into the script. This normalizes collection of sensitive credentials in conversation, increasing the chance of accidental logging, prompt leakage, reuse by other components, or phishing-style credential harvesting.

Ssd 3

High
Confidence
99% confidence
Finding
After authentication failure, the script instructs the model to request a replacement API key from the user, again through the chat channel. Repeated prompting for secrets in natural-language flows is especially risky because it conditions users to disclose credentials and may store them in logs or agent memory.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.