ClawHub

Image Search

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised image search, but local image files are automatically uploaded to third-party public image hosts without a clear runtime confirmation step.

Review before installing. Use it only for images you are comfortable sending to SerpAPI and, for local files, uploading to freeimage.host or imgbb. Prefer already-public image URLs, and avoid private photos, documents, screenshots, credentials, or proprietary material unless you accept external hosting and possible retention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The manifest declares required environment variables but does not clearly declare the broader operational capabilities implied by the skill, especially outbound network access and handling of local files. In a skill that processes user images, undeclared network/data-transfer behavior reduces transparency and can lead to users or orchestrators invoking it without understanding that image data may leave the local environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a Google Lens/SerpAPI image search tool, but it also uploads local images to third-party hosting services to obtain a public URL. That materially changes the data-flow and privacy risk: sensitive local images may be published to external services unrelated to the user's stated intent, creating exposure, retention, and unauthorized sharing risks.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documentation states the skill uses Google Lens via SerpAPI, but local files are first uploaded to external image hosts, introducing a hidden third-party disclosure path. This is dangerous because users may provide private images expecting analysis only through the named provider, not public or semi-public hosting elsewhere.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatically publishing local files to image-hosting services exceeds the narrowly described purpose of visual search and broadens the attack surface to data exfiltration/privacy leakage. Even if functionally convenient, automatic external publication is not necessary from the user's perspective unless clearly justified and consented to.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill advertises image search but, for local files, silently uploads user images to third-party hosting services before sending them to SerpAPI. This creates a material data-exposure risk because sensitive local images may be published externally, potentially on a public host, without explicit informed consent or clear disclosure in the skill description or CLI flow.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code contains a built-in API key for freeimage.host and will publish local user images there without requiring user configuration. Hardcoding a public upload capability enables unreviewed exfiltration of local image content to an external public service, increasing the chance of privacy breaches and unauthorized disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that local image files are automatically uploaded to third-party hosting services to obtain a searchable URL, but it does not clearly warn users that their local content will leave their machine and be sent to external providers. In an agent-skill context, users may reasonably assume local analysis or direct API submission, so this omission can cause unintended disclosure of sensitive photos, documents, screenshots, or metadata.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The automatic invocation text says the agent will use the skill when users send images asking broadly 'what is this?', which is common natural language and may trigger the skill without sufficiently informed user intent. Because this skill can upload local images to third parties, a broad trigger increases the chance of accidental activation and unintended disclosure of user-provided or locally referenced images.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill describes local file uploads without a clear warning that image data will be sent to third-party services, which can expose sensitive content, metadata, and potentially create public links. In an image-analysis context, users may upload personal photos, documents, or proprietary images, making silent transfer especially risky.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function resolves local images by uploading them externally, but there is no upfront warning at the point of use that a local file will leave the system and may be hosted by a third party. In a skill handling arbitrary user-supplied images, this omission undermines informed consent and can expose sensitive personal, corporate, or regulated data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal