ClawHub

CPA GPT Image 2

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed image-generation helper that sends prompts and an API key to a configured endpoint and saves the returned image locally.

Install only if you trust the configured image-generation endpoint. Prefer explicit IMAGE_GEN_BASE_URL and IMAGE_GEN_KEY values, use a scoped or disposable API key where possible, avoid sensitive content in prompts, and write outputs to a path where overwriting or directory creation is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities to read environment variables, perform network requests, invoke shell commands, and write files, but it does not declare any permissions or constraints. This creates a trust and review gap: operators may execute the skill without understanding that it can access secrets and transmit prompt data and credentials-derived requests to external endpoints.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script transmits the user prompt plus session metadata (`session_id`, user-agent/version/originator) to a remote service without any in-code disclosure, warning, or consent flow. In an agent-skill context, prompts may contain sensitive user data or workspace-derived content, so silent outbound transmission increases privacy and data-governance risk, especially when the endpoint is configurable via environment variables.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal