ClawHub

Generate a 3x3 grid (9-square) travel blogger style collage based on user photos and a specific destination.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only travel collage skill whose photo analysis, destination research, and image generation are disclosed and aligned with its purpose.

Install only if you are comfortable sending uploaded photos and facial appearance details to an image-generation workflow, and avoid including private itinerary details in destination prompts because landmark research may use external search. The publisher should declare any search tool requirement and narrow activation wording, but the current artifacts do not show deceptive, destructive, or unrelated behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to use `web_search` even though that tool is not declared in the manifest. This creates a tool/interface mismatch that can cause runtime failures, undefined fallback behavior, or unintended delegation to capabilities outside the declared trust boundary, which is a security and reliability issue in agentic systems.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger condition is broad enough that ordinary photo uploads plus a destination mention may auto-activate the skill without clear user intent. In a multimodal agent, that can lead to unexpected analysis of personal photos and unsolicited image generation, increasing privacy exposure and inappropriate tool invocation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal