Back to skill

Security audit

Ai Image To Code

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple screenshot-to-code helper with no evidence of hidden access, persistence, or malicious behavior, though users should avoid sharing sensitive screenshots.

Install only if you are comfortable sending UI screenshots to the model used by your OpenClaw environment. Crop or redact screenshots that include secrets, personal data, account details, customer information, or internal dashboards. The included tests and packaging metadata have quality gaps, but the reviewed artifacts do not show hidden or unsafe behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
A later redefinition of _main shadows the real test runner with a stub that calls an undefined helper and then returns success, defeating the integrity of the test harness. This can cause CI or manual execution to skip substantive checks or fail in unexpected ways, allowing noncompliant or unsafe skill content to be shipped without validation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to paste screenshots/images for processing but does not warn that screenshots may contain sensitive information such as emails, account IDs, API keys, personal data, or internal dashboards. In a vision-processing skill, this omission increases the chance that users will unknowingly submit confidential content to the model or platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.