ClawHub

Photo Retouching

Security checks across malware telemetry and agentic risk

Overview

This RunningHub workflow skill mostly does what it says, but it includes an under-disclosed Chrome DevTools automation script that can control a local browser session.

Install only if you are comfortable sending selected images and workflow inputs to RunningHub and protecting a saved local API key. Prefer the documented API client path. Do not run the Chrome automation script unless you intentionally started a disposable Chrome profile with remote debugging enabled and understand that DevTools access can control that browser session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is described as an API client for RunningHub workflow execution, but this script instead opens and controls a live Chrome page through the DevTools remote debugging interface. That scope expansion is dangerous because browser automation can interact with authenticated sessions, page content, and local browser state far beyond the permissions implied by a simple API integration.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Using Chrome DevTools remote debugging plus Runtime.evaluate gives the script the ability to inspect and manipulate arbitrary page state in a logged-in browser context. In an agent skill advertised as an API-based workflow client, that is an unjustified high-risk capability because it can access session-backed data and perform privileged browser actions unrelated to the stated task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill recommends saving the API key to a local config.json file and says this is the recommended option, but it does not warn about secret exposure through filesystem access, backups, logs, or permissive file permissions. Persisting credentials locally without guidance on secure storage increases the risk of credential theft and subsequent unauthorized use of the RunningHub account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to upload local image files to RunningHub without clearly warning that those files will be transmitted to a third-party cloud service. In contexts where images may contain sensitive, proprietary, or personal data, the lack of an explicit disclosure can lead to unintended data exfiltration outside the local environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script opens a new browser page and remotely controls Chrome through the DevTools interface without any explicit user confirmation, authorization check, or interactive consent gate. This is dangerous because it can drive a user's logged-in browser session and interact with web content invisibly, which is especially sensitive in a skill whose stated purpose is ordinary API execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script provides a `--save-key` option that persists the API key in `config.json` in plaintext. Storing bearer credentials unencrypted on disk can expose them to other local users, accidental commits, backups, or malware, and the tool does not enforce restrictive file permissions or give a clear warning about this persistence risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal