ClawHub

Image Recognition

Security checks across malware telemetry and agentic risk

Overview

This image-recognition skill works as described, but it can upload images using an embedded API key that the user did not configure.

Review before installing. Configure your own API key explicitly, remove or distrust the embedded fallback key, and only process images you are comfortable sending to a remote model provider. Avoid private screenshots, IDs, documents, QR codes, account pages, or credential-containing images unless you accept that upload path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities that read local files, access environment variables, and send data over the network, but it declares no permissions. This weakens user consent and review because sensitive inputs such as local config, API keys, and image contents may be accessed or transmitted without an explicit permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond simple image recognition by reading ~/.openclaw/openclaw.json for credentials and transmitting image data to third-party APIs, while the declared purpose does not prominently disclose these security-relevant actions. If the implementation also falls back to a hardcoded default API key when user credentials are absent, that introduces undisclosed credential use and unexpected external data transfer.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill reads `~/.openclaw/openclaw.json` to discover provider settings and API keys that are not part of the immediate image input. This expands its access to unrelated local secrets and account configuration, violating least-privilege and creating unnecessary credential exposure if the skill is modified, compromised, or logs/errors leak the values.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains a hardcoded fallback API key and will automatically use it if no user key is configured. Embedded service credentials are dangerous because anyone with the code can extract and abuse the key, and the skill can send user data to a third-party service under undisclosed credentials without explicit consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The usage guide contains a hardcoded API key directly in example code, which exposes a live credential to anyone who reads or copies the documentation. This can enable unauthorized use of the external service, billing abuse, account compromise, and makes secret rotation difficult once the guide is distributed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that image data is base64-encoded and sent to a configured vision-model API, but it does not clearly warn that private or sensitive image contents leave the device. Users may reasonably treat OCR or screenshot analysis as local processing and unintentionally upload confidential documents, chats, or credentials to third-party services.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The documentation encourages automatic reading of OpenClaw configuration and API keys without clearly warning that these are sensitive credentials and should be protected. This increases the risk of unsafe handling, accidental disclosure in logs, or user misunderstanding about how broadly the skill can access stored secrets.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill transmits the full base64-encoded image and prompt text to a remote endpoint, but there is no explicit warning or consent flow informing the user that local image contents will leave the device. For an image-recognition skill this is functionally expected, but it is still privacy-relevant because images may contain sensitive visual data or OCR-extracted secrets.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script reads API credentials from environment variables and then falls back to a local OpenClaw config file without clearly disclosing that it accesses local secrets. Although credential loading is common for API clients, the undisclosed secret access increases surprise and reduces user visibility into what sensitive data the skill touches.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example code base64-encodes local image contents and sends them to a third-party API, but the guide does not clearly warn users that image data leaves the local device. This is risky because screenshots, documents, and photos may contain sensitive personal, corporate, or authentication information that users may unknowingly upload.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal