ClawHub

Byted Kickart Ai Beauty

Security checks across malware telemetry and agentic risk

Overview

This image-beauty skill has real advertised functionality, but it also asks for cloud secrets in chat, logs authorization data, and performs an account/package registration step without clear user consent.

Only install after reviewing the credential and account-impact behavior. Do not paste cloud AK/SK secrets into chat; use scoped, revocable credentials or a secure secret store. Expect images, URLs, and archive contents to be sent to a remote service, and be aware the skill may register/check a service package and may write sensitive request data to local logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to ask users to paste cloud access credentials into chat and then export them as environment variables. Collecting high-value secrets through chat for an image beautification workflow is unjustified and creates a direct path to credential theft, accidental retention in logs, misuse by the agent, or compromise of the user's broader cloud account.

Intent-Code Divergence

Medium
Confidence
68% confidence
Finding
The documentation claims sensitive configuration is only temporary and not persisted, but elsewhere relies on a persistent Task ID for later status checks. This inconsistency can mislead users about what state is retained and undermines trust around handling of sensitive or correlatable execution metadata.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The V2 client constructs its destination from the fully environment-controlled ARK_SKILL_API_BASE without validating scheme, host, or allowlisted domains. If an attacker or misconfigured runtime can influence that variable, the skill may send user data and bearer credentials to an arbitrary endpoint, creating SSRF-style egress and credential-exfiltration risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill queries IAM user listings and preferentially selects an admin user ID, which exceeds the least-privilege needs of an image beautification workflow. If the backing credentials can enumerate organization users, this creates unnecessary exposure of identity metadata and risks performing media operations under an elevated owner context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module persists uploaded media metadata, source file paths, account identifiers, and timestamps to local CSV storage under /tmp without any minimization, retention control, or access protection shown. For an image beautification skill, this creates unnecessary local data retention and increases privacy exposure if the host is multi-tenant, compromised, or logs/tmp contents are accessible.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata describes an AI beauty/image-enhancement capability, but the code instead invokes a backend action named "RegisterArkClawCombo" to register a free package. This is a clear functionality mismatch and indicates the skill may perform an undisclosed network-backed account or service action on behalf of the user, which is dangerous because it can trigger unauthorized enrollment or abuse of external services under false pretenses.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The comment and docstring explicitly state that the command queries/registers a free Ark Claw package, directly contradicting the declared beauty-photo purpose of the skill. In this context, the contradiction is not harmless documentation drift; it corroborates that the skill is intentionally repurposed for an undisclosed action, increasing the likelihood of deceptive behavior.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger terms are extremely broad beauty-related phrases, which can cause the skill to activate in contexts where users did not clearly consent to external image processing or file handling. Overbroad activation increases the chance of accidental invocation on sensitive images, URLs, or local files.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill accepts local files, URLs, and archives for processing by an external service but does not prominently warn users that their content will be transmitted off-platform. This is dangerous because users may unknowingly expose private photos, metadata, or archive contents to a third party.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the handling of user credentials without a strong safety warning or secure credential collection mechanism. Asking for cloud secrets in chat normalizes unsafe secret-sharing behavior and can lead to credential exposure through logs, transcripts, prompt leakage, or unauthorized reuse.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code logs full request headers and body before sending the request, which includes Authorization data and potentially sensitive image-processing payloads or user metadata. These logs can expose AK/SK-derived auth material, bearer tokens, and private request content to operators, log aggregation systems, or anyone with log access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The bearer token is read from environment and attached to outbound requests, while the destination base URL is also environment-controlled and request details are logged. In this combination, a misconfigured or malicious endpoint can receive the token, and logs may also disclose it, making unauthorized API access and downstream abuse plausible.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The request logging includes full headers and request bodies, which can expose bearer tokens, authorization signatures, and potentially sensitive user-submitted media metadata. If logs are accessible to operators, other services, or incident responders without strict controls, these secrets can be reused for unauthorized API access and user data disclosure.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code uploads user-provided files to a remote service, including hashes and full file contents, with no indication of consent, destination transparency, or policy gating in this layer. In a beauty-image skill handling personal photos, silent third-party transfer materially raises privacy and compliance risk, especially for face images.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code performs a network-backed registration call immediately via IccpService.post("RegisterArkClawCombo", b"") without any warning, consent prompt, or confirmation step. Even aside from the deceptive skill mismatch, silent registration actions can cause unauthorized account changes, billing/subscription side effects, or misuse of a user's environment and credentials.

Ssd 3

High
Confidence
99% confidence
Finding
The skill tells the agent to solicit cloud access keys directly in chat and use them in-session. This is a severe secret-handling flaw because chat is not a safe credential input channel, and the resulting keys may permit broader cloud actions far beyond the intended image processing task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal