ClawHub

Mixtiles It

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises: it uploads the user-selected photo to Cloudinary and returns a Mixtiles cart link, with privacy caveats but no evidence of hidden or malicious behavior.

Install only if you are comfortable with selected photos or image URLs being uploaded to Cloudinary and used in a Mixtiles cart link. Confirm the exact file or URL before running it, especially in batch mode, and only set the optional fallback upload URL/key for an endpoint you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to execute a local Python script, use environment variables, and perform network uploads/downloads, but it declares no permissions or user-visible capability boundaries. That mismatch is dangerous because it can cause the agent to access local files, shell out, and transmit data externally without an explicit trust/consent model, increasing the chance of unintended data exposure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger language is broad and includes phrases like 'or similar,' which can cause accidental invocation from ordinary conversation or loosely related image-sharing requests. In this skill's context, accidental invocation is more dangerous because fulfillment uploads user-provided images or URLs to third-party services, so a false trigger can lead directly to unintended external data transfer.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill omits a clear warning that local files and supplied URLs are uploaded to Cloudinary and used to generate a Mixtiles cart link, making the images publicly accessible through third-party infrastructure. This is a significant privacy and confidentiality risk because users may assume the photo stays within the assistant or Mixtiles flow, when in fact it is redistributed externally and potentially exposed via public URLs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When a remote image URL is provided, the script downloads it and/or forwards it to third-party services such as Cloudinary and an optional Railway endpoint. That creates a privacy and data-sharing risk because user-supplied image locations may be transmitted off-platform without explicit user-facing disclosure or consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal