ClawHub
Back to skill

Security audit

Fal Ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent fal.ai media-generation helper, but users should understand it sends selected prompts and media to fal.ai and stores local queue state.

Install only if you are comfortable using a fal.ai API key and sending chosen prompts, images, videos, URLs, and possible audio to fal.ai for processing. Prefer a revocable key, avoid committing TOOLS.md, do not submit private or regulated media without considering provider handling, and clear fal-pending.json after sensitive jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Tainted flow: 'PENDING_FILE' from os.environ.get (line 61, credential/environment) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
def save_pending(data):
    """Save pending requests to file"""
    PENDING_FILE.parent.mkdir(parents=True, exist_ok=True)
    PENDING_FILE.write_text(json.dumps(data, indent=2))

def submit(model_id: str, input_data: dict, skip_validation: bool = False) -> dict:
    """Submit a request to the queue with validation"""
Confidence
90% confidence
Finding
PENDING_FILE.write_text(json.dumps(data, indent=2))

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents and encourages capabilities including environment variable access, reading TOOLS.md, writing persistent state, shell execution, and outbound network requests, but it does not declare permissions. This creates a transparency and governance gap: the agent may invoke sensitive capabilities without clear prior review, making misuse, overreach, or accidental data exposure harder to detect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill searches multiple local files for credentials, including TOOLS.md, which broadens secret access beyond the minimum needed for API invocation. In a skill execution environment, reading unrelated local files for secrets increases the blast radius if the skill is misused and makes credential sourcing less transparent to the user.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger text is very broad, covering 'generate images and media' and 'anything involving fal.ai,' which can cause the skill to activate for ordinary creative or media-related requests that do not require this integration. Over-broad routing increases the chance of unnecessary external transmission of prompts or media and can bypass more privacy-preserving or task-specific alternatives.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill lacks a prominent warning that prompts, images, videos, URLs, and base64 data URIs are sent to the external fal.ai service. Because the skill supports uploading local media as data URIs and referencing remote URLs, users may unknowingly disclose sensitive content to a third party.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The image-edit model explicitly accepts image URLs or base64 data URIs, which can contain sensitive user-provided media, but the metadata shown here does not warn that these inputs will be transmitted to an external provider for processing. In this skill context, users are likely to submit personal or confidential images, so missing disclosure and consent guidance increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This video-edit model accepts reference video, reference images, optional element images, and can preserve original audio, all of which may contain highly sensitive biometric, personal, or confidential information. In a media-generation skill that brokers requests to an external API, failing to warn users about third-party processing materially increases privacy risk and the chance of unintended disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The client persists request inputs and later results to a local pending file, which may contain prompts, file-derived data URIs, URLs, or generated outputs. In a shared or agent-managed environment this creates a local privacy leak and long-lived storage of potentially sensitive user data without clear minimization or protection.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal