ClawHub
Back to skill

Security audit

Virtual Try On

Security checks across malware telemetry and agentic risk

Overview

This skill appears to use a disclosed third-party image-processing API for its stated clothing-image workflow, with privacy caveats users should understand.

Install only if you are comfortable sending the referenced image URLs and your workflow API key to api.ngmob.com. Avoid private, sensitive, or regulated images unless the provider’s privacy, retention, and training policies meet your needs, and use a scoped or revocable API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README instructs users to send clothing images to an external API but does not disclose that user-provided images will be transmitted off-platform, processed by third-party infrastructure, or subject to retention and privacy practices. Even if the images are commercial product assets rather than highly sensitive personal data, undisclosed external transmission can create privacy, confidentiality, and compliance risks for users and organizations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to send clothing image URLs and an API bearer token to a third-party service without any privacy, data handling, or consent warning. This can expose user-provided image data and credentials to an external processor, creating privacy and credential-handling risk even if the service is legitimate.

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. Call the Workflow API

```bash
curl -X POST https://api.ngmob.com/api/v1/workflows/2IIk3Z6NKuPZP7moonEI/run \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
curl -X POST https://api.ngmob.com/api/v1/workflows/2IIk3Z6NKuPZP7moonEI/run \ -H "Authorization: Bearer $API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. Call the Workflow API

```bash
curl -X POST https://api.ngmob.com/api/v1/workflows/2IIk3Z6NKuPZP7moonEI/run \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
https://api.ngmob.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.