ClawHub

Ai Image To Code

Security checks across malware telemetry and agentic risk

Overview

No artifact-backed malicious or review-level behavior was verified; the scanner findings appear to reference files or content not present in the inspected workspace.

VirusTotal was clean, and the supplied scanner concerns were not supported by the artifacts I could inspect. Because the artifact set appears mismatched or incomplete, users should still review the actual published skill files before installing, especially any instructions that ask them to submit screenshots or sensitive local content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file defines _main() twice, and the second definition silently overrides the real test runner with a call to undefined _run_unit_tests(). When executed as a script, this causes the suite to fail immediately instead of running validation checks, which can disable enforcement and allow unsafe or noncompliant skill content to pass through an expected testing gate.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This README encourages users to paste screenshots for analysis but does not warn that screenshots may contain sensitive information such as personal data, credentials, API keys, internal dashboards, or confidential business content. In the context of an image-to-code skill, omission of privacy guidance increases the likelihood that users will submit sensitive images to an external model or processing pipeline without understanding the exposure risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal