ClawHub
Back to skill

Security audit

Brand Asset Generation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent brand-asset generator, but it needs review because it bulk-embeds personal contact details and renders SVGs through an unsandboxed headless browser workflow.

Install only if you are comfortable with a skill that writes many brand files, runs local Python/Edge rendering scripts, and embeds supplied contact details into public assets. Review and replace the sample personal information in the templates, avoid private home addresses unless intentionally publishing them, and render only SVGs you trust or run the renderer in a restricted workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to read reference files, execute reusable scripts, write large numbers of generated assets, and invoke shell-capable tooling such as Edge headless rendering and Pillow-based processing, yet no explicit permission model or user-facing authorization boundary is declared. In an agent ecosystem, this mismatch is dangerous because a seemingly content-only skill can cause file-system changes and command execution without clear consent or sandbox constraints, increasing the risk of unintended writes, data exposure, or abuse of shell execution paths.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This exemplar file embeds specific personal contact details (name, phone number, email, and domain) inside what is presented as reusable template content. In a brand-asset generation skill, hard-coded PII can be unintentionally propagated into generated deliverables, causing privacy leakage, misattribution, and accidental disclosure to downstream users.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document claims to contain 'pure template content', but the embedded examples include fixed branding and contact information. This mismatch increases the risk that operators or downstream automation will trust the file as safe boilerplate and reuse sensitive or irrelevant embedded identifiers without review.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The file repeatedly embeds fixed company/person identifiers across multiple sections of a supposedly reusable exemplar. Repetition makes accidental propagation more likely and harder to catch, especially in an end-to-end generation skill that may copy these values into multiple output assets automatically.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list includes very broad and ambiguous activation terms such as generic brand-asset phrases and especially meta terms like "meta-skill-system," which can cause the skill to activate outside the user's intended scope. Overbroad activation is risky because it may pull in a high-capability skill that performs file access, script execution, or personal-data processing in contexts where the user did not knowingly request those operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that it collects company and personal information and injects that information into multiple generated assets, but it provides no user-facing warning, consent flow, retention policy, or minimization guidance. This creates privacy and confidentiality risk because sensitive identifiers may be propagated into many files, templates, and derived artifacts without the user understanding where the data will be stored, rendered, or reused.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly collects personal contact details such as name, phone, email, website, and address, then later propagates them into generated assets without any stated privacy notice, consent boundary, retention rule, or disclosure warning. In a branding skill, these details are likely to be embedded into outward-facing deliverables, so omission of privacy/data-handling guidance creates a real risk of unintended exposure or over-collection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The catalog includes cleanup and delivery steps that delete auxiliary files and copy outputs to Downloads, but it provides no warning, confirmation gate, or scope limitation for those filesystem actions. Even if intended as housekeeping, destructive cleanup and uncontrolled copying can cause accidental data loss, overwrite user files, or place sensitive brand materials and embedded personal information in a broadly accessible location.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly requires collecting real personal information such as full name, phone number, email, website, and full street address, but provides no privacy notice, minimization guidance, retention limits, or consent checks. In a content-generation workflow that mass-produces deliverables, this creates an avoidable risk of exposing sensitive personal data in generated assets, logs, previews, and packaged outputs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The exemplar embeds real-looking personal contact information, including a full name, phone number, email address, and physical address, without any warning that the data is fictional, redacted, or should be replaced before reuse. In a brand-asset generation skill, users or downstream agents may copy this template directly into production assets such as business cards, letterheads, or HTML deliverables, causing unintended disclosure or propagation of personal data.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The document instructs users to delete existing PNG files before rerendering, but does not include a clear safety warning, backup recommendation, or a tightly scoped deletion command. In an agent skill context, destructive file-operation guidance can be copied into automation or executed against the wrong directory, causing unintended loss of generated assets or other PNG files.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill defines a pipeline that collects real personal contact details and bulk-injects them into multiple generated SVG/PNG/ICO deliverables, with no minimization, consent checkpoint, or restriction on downstream disclosure. Because the outputs are branding and publication assets, the context makes this more dangerous: a single mistaken input can be replicated across dozens of files and distributed externally, amplifying privacy leakage.

Ssd 3

Medium
Confidence
95% confidence
Finding
The requirements direct the model to use real user-provided contact details and incorporate them into generated brand materials, which increases the chance of over-sharing or accidental disclosure beyond the user's intended scope. Because this is part of an automated end-to-end pipeline, the data may be replicated across many files and outputs, amplifying the blast radius of any mistake or unintended publication.

Ssd 3

High
Confidence
98% confidence
Finding
This section operationalizes broad propagation of personal information across multiple SVG asset classes, including full contact details in items like business cards, envelopes, and banners, and mandates 100% replacement into all applicable files. The context makes this more dangerous because it is not a single-use insertion but a bulk replication workflow, increasing the risk of privacy breaches, accidental publication, and leakage into public-facing materials.

Unvalidated Output Injection

High
Category
Output Handling
Content
"--window-size=%d,%d" % (target_w, target_h),
            "--default-background-color=00000000", url
        ]
        subprocess.run(cmd, capture_output=True, timeout=30)
        if os.path.exists(png_path) and os.path.getsize(png_path) > 0:
            return png_path
    return None
Confidence
78% confidence
Finding
subprocess.run(cmd, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
"--default-background-color=00000000",
                        "file:///" + html_path.replace("\\", "/")
                    ]
                    subprocess.run(cmd, capture_output=True, timeout=timeout)
                    if os.path.exists(out_png) and os.path.getsize(out_png) > 0:
                        print("    OK: %s (%dx%d, %dB)" % (
                            fname, render_w, render_h, os.path.getsize(out_png)))
Confidence
84% confidence
Finding
subprocess.run(cmd, capture_output

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.