ClawHub
Back to plugin

Security audit

pixcli

Security checks across malware telemetry and agentic risk

Overview

The plugin appears to do what it claims, but it can upload caller-supplied local media files to a remote service and makes generated results public by default.

Install only if you are comfortable with agents sending referenced local media files to pixcli and with generated outputs being public by default. Configure defaultPublish to private, use publish:none for sensitive work, avoid passing arbitrary filesystem paths, and allowlist optional tools such as voice cloning only for workflows where consent and rights are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly says the tools can read local files, upload them automatically, and return shareable URLs, but it does not prominently warn that this can expose sensitive local media or generated outputs to a remote service and potentially to the public. In an agent-tooling context, this is more dangerous because an agent may select the tool on a user's behalf, increasing the chance of unintended data disclosure without informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The configuration example sets `defaultPublish` to `public`, which encourages public exposure of generated content and returned share URLs without an adjacent caution about privacy, access control, or suitability for sensitive inputs. In this skill's context, where user-provided files and generated media may contain private or regulated data, a public-by-default example materially increases accidental disclosure risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tool accepts local file paths, data URIs, and remote URLs for `image`, then automatically resolves and uploads them during execution. Without an explicit execution-time warning, confirmation, or restriction, an agent or user can unintentionally exfiltrate sensitive local files or internal network-accessible resources through this upload path.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This tool accepts a local file path or remote URL for `video`, resolves/uploads it, and then submits it to a remote API, but the code itself provides no explicit user-facing consent prompt or warning at the point of transmission. In an agent setting, that can cause unintended exfiltration of sensitive local media or internal-only URLs if the caller does not clearly understand that inputs are uploaded off-host to a third-party service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This tool accepts local file paths, data URIs, and remote URLs, then automatically resolves and uploads them to a voice-cloning endpoint without any built-in confirmation, disclosure, or policy checks. In an agent setting, that creates a meaningful risk of unintended exfiltration of local audio files or unauthorized cloning of a person’s voice from arbitrary remote media, especially if higher-level calling code passes untrusted inputs directly to the tool.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code accepts an arbitrary local filesystem path, reads the file from the host running the plugin, and uploads its contents to a remote API. Because the same function also accepts ordinary URLs and data URIs, a caller can cause local file exfiltration with no trust boundary enforcement, path restriction, allowlist, or explicit user confirmation, which is especially dangerous in an agent/plugin context where model-controlled inputs may reach this function.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The configuration states that auto-publishing generated assets defaults to public, which can expose user-generated media through shareable URLs without an explicit privacy-preserving default or prominent warning. In a tool that handles images, voice, music, podcasts, and potentially cloned voices, accidental public exposure can leak sensitive, identifying, or proprietary content.

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal