ClawHub

Gigma AI Design Canvas

Security checks across malware telemetry and agentic risk

Overview

This design skill is coherent, but it needs review because broad activation can lead to cloud canvas edits, deletions, and exported signed links without clear user control.

Install only if you are comfortable with the agent creating and modifying designs in the Gigma service. Before destructive edits or exports, confirm the active project, ask for a duplicate or backup when appropriate, and avoid exporting confidential branding, unreleased assets, or sensitive text unless the signed URL sharing behavior is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill advertises very broad trigger phrases such as 'design an image', 'create a poster', and 'make a thumbnail', which are common user intents and can cause the skill to be invoked in situations where the user did not explicitly intend to use this third-party design service. In this context, unintended invocation matters because the skill enables external project creation, remote editing, image fetching, and export operations, increasing the chance of accidental data disclosure or unwanted side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool list includes destructive actions like `delete_element` and `delete_all_elements` but does not warn about irreversible changes, confirmation requirements, or safer alternatives. Because this is a writable cloud canvas with project switching and batch workflows, an accidental or misrouted invocation could wipe a user's current design state or template contents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The export section states that `export_canvas` uploads output to Google Cloud Storage and returns a signed URL, but it does not warn users that generated content leaves the editing environment and becomes remotely accessible for seven days. In a design workflow, exported images may contain private branding, unreleased marketing material, or sensitive embedded text, so omission of this privacy notice can lead to unintended exposure.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal