ClawHub

Infographic Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Vietnamese infographic image generator that calls 9Router and writes the generated image locally, with some usability and branding caveats but no artifact-backed malicious behavior.

Install only if you are comfortable sending prompts and your configured 9Router API token to the selected 9Router-compatible endpoint. Review generated images for the mandatory footer credit, and use a controlled output filename/path so the script only writes the image where you intend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation trigger is very broad, covering common requests for infographics, news images, guides, or posters in Vietnamese. That makes unintended invocation more likely, which can cause the agent to run external code or make third-party API calls when the user did not explicitly consent to tool use or image generation via this specific service.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The skill is scoped only to Vietnamese-language requests without presenting user choice, which can override user preference or cause the agent to transform content in ways the user did not request. While this is not a classic security flaw, it is a policy and autonomy issue that can lead to misprocessing, incorrect outputs, or silent handling assumptions in multilingual contexts.

Natural-Language Policy Violations

Low
Confidence
95% confidence
Finding
The skill requires a fixed footer credit string on every generated image without user consent. This is risky because it injects unrequested content into outputs, can misrepresent authorship or branding, and may create compliance, trust, or impersonation issues if the user intends neutral or client-facing deliverables.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal