ClawHub

AIRILAB

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its AiriLab image-generation purpose, but it installs a persistent background worker by default and stores authentication/job data locally in ways users should review first.

Review this before installing if you do not want an always-running AiriLab worker. Prefer running setup with autostart disabled, confirm where AIRILAB_HOME points, protect or periodically remove the saved token and job database, and be aware that uploaded images and generated result URLs are sent to AiriLab and written locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The worker writes user-facing completion artifacts to a global `~/.openclaw/completions` directory that is outside the scheduler's own runtime directory and not scoped per user, project, or skill. Because the file content includes job IDs and generated result URLs, this can cause cross-skill or cross-user data exposure on shared hosts and creates an unintended integration point where other components may consume these files as trusted completions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The post-install script sets up a persistent background worker via systemd user services or cron, which exceeds the skill's stated purpose of handling image generation and task management on demand. Persisting a worker across reboots increases attack surface and creates ongoing code execution on the host, even when the user is not actively invoking the skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The installer writes a user-level systemd service and modifies the user's crontab to achieve persistence, but that capability is not justified by the declared skill scope. Host persistence mechanisms are sensitive because they grant recurring execution and can be abused for stealthy long-term activity, especially in a package install path where users may not expect system configuration changes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script installs persistence by adding an @reboot crontab entry for a background worker, which exceeds the stated skill scope of image generation and task management. Even if intended for convenience, adding autostart behavior creates a system-level change that can keep code running outside explicit user invocation and increases abuse potential if the worker or its dependencies are compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code establishes a reboot-triggered background worker via crontab, which is not part of the user-facing request scope described for AiriLab operations. Persistence mechanisms are security-sensitive because they allow the skill to continue operating after reboot without an active user request, broadening the attack surface and reducing user control.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that tokens, project context, job state, logs, and PID files are persisted on local disk, but it does not clearly warn the user in the outward-facing description that login state and related metadata will be stored persistently. This can expose sensitive authentication material and usage metadata to other local users, backups, or compromised processes, especially because the skill also runs a background worker and keeps long-lived state.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code uploads arbitrary local image files to a third-party remote API using an authenticated request, but the function and CLI provide no explicit user-facing consent, privacy warning, or confirmation step before transmission. In a skill whose purpose is to handle image generation workflows, silent upload of user-provided files can expose sensitive images, metadata, or proprietary content to an external service, especially if callers do not fully understand that local files leave the system.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Autostart is enabled automatically unless the user already knows to pass --no-autostart, which is not equivalent to explicit consent. Silent persistence reduces user control and transparency, and can leave a continuously running worker that survives reboots without a clear approval step.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script directly modifies the user's crontab to add persistence without any confirmation prompt or prior authorization check. Silent changes to startup behavior are dangerous because users may not realize they have granted ongoing execution to the skill, making unauthorized persistence harder to detect and remove.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal