ClawHub

BitSoul AI Face Beauty 人像AI美颜

Security checks across malware telemetry and agentic risk

Overview

This photo beautification skill needs Review because it downloads and runs an unverified native program and sends a token over plain HTTP.

Install only if you trust the publisher and are comfortable running a downloaded native binary against your local images. Avoid sensitive photos or valuable tokens unless the publisher switches all remote calls to HTTPS, stops putting tokens in URLs, publishes verifiable hashes or signatures for the binary, and clearly documents what data leaves the machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Tainted flow: 'download_url' from os.environ.get (line 58, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
print(f"Starting to download {file_name} ...")
            print(f"Download url: {download_url}")

            with requests.get(download_url, stream=True, timeout=300) as response:
                if response.status_code != 200:
                    print(f"Download failed, HTTP status code: {response.status_code}")
                    if retry < max_retries - 1:
Confidence
94% confidence
Finding
with requests.get(download_url, stream=True, timeout=300) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands, reads environment variables and files, and uses network access, yet declares no permissions or trust boundary information. This hides sensitive capabilities from users and reviewers, making it easier for the skill to access secrets, download artifacts, and execute code without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill is presented as a local image beautification tool, but its documented behavior includes contacting an external server, retrieving a download URL, downloading an executable, and running it. That mismatch is dangerous because users may provide images and tokens under the false assumption of local-only processing while the skill introduces remote code supply-chain risk and secret exposure paths.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Skill initialization downloads a platform-specific executable from a remote server despite the stated purpose being image beautification. This greatly expands the trust boundary and creates a software supply-chain risk: initialization can modify the host filesystem and introduce arbitrary native code before any explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill reads authentication material from environment variables and optionally from a user-specified dotenv-style file, which exceeds what is obviously needed for a local image beautification feature. This broadens secret access and can expose tokens to misuse or accidental leakage, especially because the token is later sent to a remote service.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code makes outbound network requests to obtain a download URL and then retrieve a file, behavior not justified by the narrow manifest description. In context, these requests are part of a chain that fetches an executable, making the network capability materially dangerous because it enables remote payload delivery and external dependency on an untrusted service.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation claims photos are processed entirely locally and not uploaded, but the skill simultaneously requires a remote-service token for permission verification and initialization. Even if images are not uploaded, this contradictory messaging undermines trust and can mislead users about external dependencies, telemetry, and the true privacy posture of the tool.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Requiring an external account token for a supposedly simple local beautification workflow creates unnecessary external trust and expands the attack surface. It introduces credential handling risks, dependence on a third-party service, and the possibility of token misuse or unauthorized access if the environment or env file is exposed.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill silently writes a remotely fetched executable into the local skill directory during initialization, without clear consent or warning. This is risky because it changes the local filesystem and prepares native code for execution, making compromise or unexpected persistence more likely.

Missing User Warnings

High
Confidence
99% confidence
Finding
The base URL uses plain HTTP, and the token is sent as a request parameter when requesting the download URL. This exposes authentication material and server responses to interception or modification by any attacker on the network path, which could lead to token theft and malicious download URL substitution.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal