ClawHub

glm-understand-image

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform GLM image analysis as described, but it needs Review because it normalizes plaintext API-key handling and external image processing without enough safeguards.

Install only if you trust the GLM MCP package and are comfortable sending selected images or screenshots to the GLM provider. Prefer a secret manager or locked-down environment variable over the plaintext config file, avoid printing keys in terminals or logs, pin package versions where possible, and do not submit confidential, regulated, or personal images unless that external processing is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to retrieve, store, and pass an API key through local files and environment variables without any guidance on secret protection, file permissions, redaction, or shell history risks. This increases the chance of credential leakage through overly permissive config files, logs, screenshots, process listings, or accidental check-in.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs users to send local image paths or remote image URLs to a third-party MCP vision service without clearly warning that the image content may leave the local environment for external processing. Users may unknowingly upload sensitive screenshots, personal photos, internal diagrams, or confidential documents, creating privacy and data-governance risk.

Session Persistence

Medium
Category
Rogue Agent
Content
#### 3.3 保存 API Key

```bash
mkdir -p ~/.openclaw/config
cat > ~/.openclaw/config/glm.json << EOF
{
  "api_key": "API密钥"
Confidence
93% confidence
Finding
mkdir -p ~/.openclaw/config cat > ~/.openclaw/config/glm.json << EOF { "api_key": "API密钥" } EOF ``` ### 步骤 4: 添加 MCP 服务器 使用 mcporter 添加 GLM 视觉 MCP 服务器: ```bash mcporter config add glm-vision \

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal