ClawHub

Mxai

Security checks across malware telemetry and agentic risk

Overview

The skill matches its AI image/video generation purpose, but users should review it because failures can print overly detailed logs that may expose prompts, image references, or service metadata.

Install only if you trust mxai with the prompts and images you provide, including pasted/base64 images and image URLs. Avoid sensitive or private content, expect generation to consume credits, prefer Authorization-header authentication over query-string keys, and be aware that error output may include more service details than a typical user needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger examples are broad conversational phrases such as asking to draw, make a video, check credits, or show recent works, which can cause automatic invocation in ordinary conversation. Because this skill sends prompts and potentially images to a third-party API, over-broad matching increases the chance of unintended external data transmission and billable actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to send user prompts and images to an external HTTP API but does not provide a clear user-facing privacy disclosure at the point of use. This can lead users to unknowingly share personal images, copyrighted material, or sensitive prompts with a third-party service.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill requires printing detailed HTTP error logs including complete response headers and bodies into normal conversation. Even with partial masking of the API key, these logs can expose user prompts, image references, task identifiers, backend metadata, and possibly other sensitive service-returned information to the chat transcript or downstream logging systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal