ClawHub

clawaifu - OpenClaw Waifu

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it generates an anime-style image through fal.ai and sends it to a configured Telegram chat, with privacy caveats users should understand.

Install only if you are comfortable sending selfie prompts, generated image URLs, and captions to fal.ai/xAI infrastructure and Telegram. Use a dedicated Telegram bot and intended chat ID, keep the required environment variables private, and prefer explicit selfie requests or confirmation before the skill sends anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad and overlap with normal conversation such as 'how are you doing?' or 'where are you?'. That can cause unintended invocation of a shell-backed workflow that sends content to external services, leading to accidental data disclosure or unwanted outbound actions without clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states it edits an image and sends it to Telegram, but it does not clearly warn that user-supplied context and captions may be transmitted to external providers. Users may unknowingly provide sensitive personal details in prompts or captions, which would then be sent to fal.ai and Telegram.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends user-controlled context to a third-party image-generation API without any consent prompt, disclosure, or data minimization. In a companion/waifu skill, users may provide intimate, identifying, or sensitive situational details, creating a meaningful privacy risk when transmitted off-platform.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The generated image URL and optional caption are sent to Telegram without warning or confirmation. Because this skill is designed to produce selfie-style companion images, the output and captions may be personal, sexualized, or otherwise sensitive, so silent forwarding to a messaging platform increases privacy and disclosure risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal