ClawHub

Byted Kickart Saliency Segmenter

Security checks across malware telemetry and agentic risk

Overview

The skill has a plausible image cutout workflow, but it asks for cloud secrets in chat, uploads files to remote services, can mutate account/package state, and logs sensitive request data.

Review this carefully before installing. Use a scoped, revocable API token instead of pasting AK/SK secrets into chat, avoid sensitive images unless remote upload is acceptable, check and clean /tmp and ~/.openclaw logs/caches, and do not approve any returned upgrade install command unless you have independently verified it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares no permissions while its documented behavior requires environment-variable access, local file reads/writes, archive extraction, and network access. This undermines least-privilege review and can cause the agent to run a broader capability set than users or platform policy would expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior significantly exceeds simple image segmentation by adding account/package checks, self-update logic, media upload orchestration, and IAM-related actions. When a skill's real behavior exceeds its stated purpose, users may unknowingly authorize credential handling, remote uploads, or code execution they did not consent to.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to ask users to paste ACCESS_KEY_ID and SECRET_ACCESS_KEY into chat and then export them for later commands. Collecting long-lived cloud credentials through conversational input creates a direct secret-exfiltration and misuse risk far beyond what is necessary for a background-removal workflow.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The workflow adds pip installation and package-management steps unrelated to the core task of image segmentation. Allowing a skill to install dependencies during execution increases the attack surface, can introduce supply-chain risk, and exceeds expected behavior for a simple media-processing skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The version-check flow allows execution of an externally supplied install_command returned by an update mechanism. This is effectively remote code execution from a network-controlled source, and if the update channel is compromised or spoofed, the agent could run arbitrary commands.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The service hard-codes a remote image URL instead of using a user-supplied image, which violates the stated skill behavior and causes data-flow mismatch between what users expect and what is actually processed. In a skill advertised for image background removal, this can mislead users, produce incorrect results, and create an integrity issue where the backend processes unintended content under the guise of user input.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The generic post method accepts an arbitrary action string and forwards it directly to the backend client, enabling callers to reach backend capabilities beyond saliency segmentation. In the context of a narrowly scoped image-cutout skill, this broadens the attack surface and can allow unintended API operations if upstream callers can influence the action parameter.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code enumerates IAM users and preferentially selects an admin user ID, which is unrelated to an image background-removal workflow. In a skill whose stated purpose is image cutout, this expands access beyond least privilege and can cause uploads or media operations to run under a highly privileged identity, increasing blast radius if the skill is abused or compromised.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module advertises support for video and audio extensions even though the skill is described as operating on picture files for cutout. This scope mismatch enables unnecessary handling of broader media types, which increases attack surface, data exposure risk, and the possibility of processing content outside the user’s intended workflow.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This implementation is a generic remote media upload and asset-management client, not code narrowly focused on segmentation or background removal. In the context of an image-cutout skill, such broad upload and material-management capability can be repurposed to move, register, and retrieve arbitrary media in backend systems, creating a significant overprivilege and misuse risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The service stores uploaded media records together with group, channel/account identifiers, file paths, serialized material metadata, and timestamps in local CSV files. For a skill described as image segmentation/background removal, this is broader data collection and persistence than necessary, increasing privacy and data-retention risk if the host is multi-tenant or the storage is later accessed by other components.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This code uploads user-supplied local files to a remote media platform and first retrieves an admin/owner identity to do so. In the context of a segmentation skill, undisclosed exfiltration of local images to a remote service is a significant trust and privacy issue, and use of an admin identity expands the blast radius if the remote integration is misused or compromised.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The module caches media IDs, URLs, dimensions, sizes, and timestamps on local disk after upload. While not immediately exploitable by itself, this creates additional sensitive metadata at rest that is not clearly needed for a simple background-removal skill and may aid later tracking or data exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill’s declared purpose is image saliency segmentation/background removal, but the executable logic instead instantiates an external service client and invokes `RegisterArkClawCombo`. This is a strong capability/intent mismatch: triggering the skill would perform an unrelated external registration action, which could abuse user trust, consume external resources, or enroll accounts/services without informed consent.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The inline comment and docstring explicitly state that the command queries/registers a free Ark Claw package, directly contradicting the skill metadata claiming image cutout functionality. This textual mismatch reinforces that the code is intentionally repurposed for an unrelated external action, increasing the likelihood of deceptive behavior rather than a simple implementation mistake.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger condition includes vague language such as recognizing 'equivalent intent,' which broadens activation boundaries. Over-broad triggering can cause the skill to run unexpectedly on unrelated prompts, increasing the chance of unnecessary file access, network uploads, or credential solicitation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill tells the agent to collect and configure AK/SK credentials in chat without strong warning or safer alternatives. Even if intended for convenience, normalizing secret-sharing in conversation exposes users to credential theft, logging exposure, and accidental reuse in unintended commands.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code logs full request headers and body before sending the request, which includes the Authorization header and potentially sensitive image or metadata payloads. Anyone with access to application logs could recover bearer tokens, signed credentials, or user content, enabling unauthorized API use and data exposure.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The request logger records full headers and request bodies, including Authorization values and potentially sensitive upload metadata. If logs are accessible to operators, other services, or attackers through log aggregation, this can leak API credentials and user data, enabling unauthorized backend access.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file performs remote upload of local media with no indication in this module of any user notice, consent gate, or disclosure. For an image-processing skill, silent network transfer materially changes the data-handling model and can expose private images to external services without informed approval.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The repository writes cached media data to disk and supports deletion without any visible notice, policy, or transparency controls. In a skill context involving potentially sensitive user images, undisclosed local persistence can surprise users and increase risk from local file disclosure, backups, or forensic recovery.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script uploads a local file to a media service, but the CLI messaging does not clearly disclose that the selected file's contents will be transmitted off-host. In an agent/skill context, this can cause unintended data exfiltration if a user or calling workflow provides a sensitive local path assuming only local processing.

Ssd 3

High
Confidence
99% confidence
Finding
The skill not only asks for AK/SK secrets in chat but also instructs the agent to reuse them across subsequent commands in the session. This creates sustained exposure of highly sensitive cloud credentials, enabling unauthorized API access, account abuse, and lateral impact if logs or the agent environment are compromised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal