ClawHub

Illo

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed illustration generator that uses an OpenRouter key and optional character-pack downloads, with no evidence of hidden execution, exfiltration, or destructive behavior.

Install only if you are comfortable using an OpenRouter API key and sending prompts/reference images to OpenRouter. Use the default character repository or a repository you trust, review character.md before installing packs, and be careful with update or --force because they can replace local character-pack edits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
The skill is described as a narrowly scoped editorial illustration tool, but the documented behavior expands into remote downloads, local installation/update flows, HTML gallery generation, asset repair, secret/config management, and effectively general prompt-based image generation. That mismatch is dangerous because users and hosting agents may grant trust or invoke the skill under assumptions that do not cover its actual attack surface, especially around network fetches, local file writes, and execution of repair/install paths.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The module advertises remote community-pack management subcommands that extend beyond the stated illustration-generation purpose. Expanding a skill's scope to include network retrieval and local installation of third-party content increases attack surface and creates a supply-chain risk path that is not necessary for core image generation.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code downloads remote character.md and reference.png files and writes them into the user's config directory without authenticity verification. Even though filenames are constrained, this still permits untrusted third-party content to persist locally and potentially influence later agent behavior or downstream rendering workflows.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The --repo/config packsRepo setting allows arbitrary remote base URLs for fetching index.json and pack contents. This makes the skill a generic remote content fetch-and-install mechanism, enabling easy redirection to attacker-controlled infrastructure and increasing the chance of malicious prompt/content persistence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to create directories and copy files into the user's persistent config path, which changes local state outside a temporary workspace. Although this appears to be intended functionality, it is still security-relevant because the write happens as part of the workflow without an explicit safety confirmation immediately before modification, creating risk of unintended persistence or overwriting character-pack data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal