ClawHub

TencentCloud Image AIGC Detection

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it sends a user-selected image or image URL to Tencent Cloud to check whether it appears AI-generated.

Install only if you are comfortable having selected images or image URLs processed by Tencent Cloud. Use scoped or temporary Tencent Cloud credentials where possible, avoid storing long-lived secrets in shared shell profiles, and do not submit private, biometric, regulated, or confidential images unless you have approval for external cloud processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells the agent to autonomously execute external image-analysis actions 'without asking for user confirmation.' That can cause unintended transmission of user-provided image URLs or local files to a third-party cloud service, which is especially sensitive for private images, regulated data, or local filesystem content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example code demonstrates sending either an image URL or raw Base64 image content to Tencent Cloud's remote moderation API, but the document does not warn users that image data leaves the local environment and may contain sensitive personal or regulated content. In a skill focused on image authenticity and AIGC detection, this omission is materially relevant because users may test private photos, identity documents, or other sensitive images without understanding the privacy, compliance, and cross-border data handling implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code transmits either a user-supplied image URL or the full Base64-encoded local image content to Tencent Cloud's remote ImageModeration API, but it does not provide an explicit consent prompt, privacy notice, or clear warning at the point of use. This is a genuine security/privacy issue because users may unknowingly send sensitive local files or regulated content to a third-party service, especially when the tool auto-detects file paths and uploads content silently.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal