ClawHub

VMake

Security checks across malware telemetry and agentic risk

Overview

This skill is mainly a Vmake media-processing integration, but it needs Review because it can invoke backend tasks beyond the four advertised operations and can send media through external chat accounts using local credentials.

Install only if you are comfortable with media being uploaded to Vmake and then delivered through configured chat platforms. Use scoped Vmake and chat credentials, require explicit user confirmation before paid processing or external delivery, restrict allowed task names to the four documented operations, validate recipients, and consider pinning dependencies before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (24)

Tainted flow: 'img_data' from requests.get (line 82, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
}
    content_type = content_type_map.get(ext, "image/jpeg")

    resp = requests.post(
        "https://open.feishu.cn/open-apis/im/v1/images",
        headers={"Authorization": f"Bearer {token}"},
        data={"image_type": "message"},
Confidence
94% confidence
Finding
resp = requests.post( "https://open.feishu.cn/open-apis/im/v1/images", headers={"Authorization": f"Bearer {token}"}, data={"image_type": "message"}, files={"image":

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill manifest claims only four Vmake AI media-restoration/watermark-removal tasks, but this file exposes txt2img/img2img helpers that enable unrelated image generation capabilities. In an agent setting, this expands the tool’s effective authority beyond what the user, orchestrator, or reviewer expects, creating a capability mismatch that can be abused to invoke undeclared model behaviors and consume paid quota for unintended purposes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The generic invoke/invoke_task interface accepts arbitrary task names and preset entries from config.INVOKE, allowing execution of backend tasks outside the four declared operations. Because this skill fronts a paid remote API and is intended for tightly scoped media processing, unrestricted task dispatch undermines least privilege and can be used to reach hidden or more sensitive backend functions, bypassing manifest-based safety constraints.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
`run_task` forwards the caller-supplied `task_name` directly into quota consumption and `invoke_task` without enforcing the manifest's stated allowlist of four Vmake AI operations. This creates a policy-bypass risk: if the backend or SDK exposes additional algorithms, an agent or prompt injection could trigger unintended paid, sensitive, or higher-risk operations beyond the skill's declared scope.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements Feishu image messaging, which is unrelated to the skill's declared Vmake AI media-restoration scope. Capability drift like this is dangerous because it introduces an undisclosed communication/exfiltration path that users and reviewers would not reasonably expect from the manifest.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code adds the ability to authenticate to Feishu, upload arbitrary images, and send chat messages, none of which are justified by the stated Vmake AI processing purpose. In a skill expected to perform media restoration, hidden outbound messaging materially increases exfiltration and abuse risk.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module documentation advertises Feishu image sending rather than Vmake AI processing, directly conflicting with the declared skill intent. Such contradictions are a strong sign of hidden or repurposed behavior and make security review and user trust significantly weaker.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a Feishu messaging utility that uploads local media, fetches remote cover images, and sends chat messages, which is materially outside the stated Vmake AI media restoration/removal purpose. In this skill context, unrelated messaging capability increases the chance of covert data exfiltration or unauthorized outbound communication using tenant credentials and user-provided media.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code reads Feishu credentials from local configuration, obtains a tenant token, uploads files/images, and sends media or text messages to arbitrary recipients. For a skill whose declared function is watermark removal and quality restoration, this unjustified chat-sending capability is dangerous because it enables outbound transmission of processed files or links through an unrelated communication channel.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The top-level documentation says the script sends video messages, but the implementation can also send a standalone text message containing an arbitrary download link whenever --video-url is provided. This mismatch hides actual data-sharing behavior from reviewers and operators, reducing transparency and making misuse or stealthy exfiltration easier within an already off-purpose messaging utility.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This file adds Telegram messaging and external file transfer capability that is unrelated to the declared Vmake AI image/video restoration purpose. In an agent skill, unrelated outbound messaging materially increases the attack surface and can be abused to exfiltrate generated media or user-provided files to arbitrary chats outside the expected workflow.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The script adds Telegram-based outbound delivery behavior that is unrelated to the stated Vmake AI restoration/watermark-removal purpose. In a paid media-processing skill, unrelated messaging capabilities create an unexpected exfiltration path for processed media and links, increasing the risk that user content is sent to external recipients without clear authorization.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code not only sends media to Telegram but also performs an arbitrary network fetch of a user-supplied cover URL, which is outside the declared restoration scope. This expands the attack surface with an SSRF-capable primitive and an extra exfiltration channel, making the skill context materially more dangerous because users would not expect unrelated network behavior from a restoration tool.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The skill goes beyond media processing by fetching attachments from arbitrary URLs, Telegram, and Feishu, which expands it into a general network-capable file acquisition tool. In an agent setting, this broadens the attack surface for SSRF-like internal URL access, unauthorized data ingestion, and processing of untrusted content that may not be necessary for the core Vmake function.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The spawn payload builder instructs downstream workers to deliver results through Feishu, Telegram, Discord, or generic messaging, materially expanding the skill from media processing into cross-platform data distribution. In an agent environment this can facilitate unintended exfiltration of processed or source-derived content to external channels, especially when deliver_to and channel choices are agent-controlled.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The SDK exposes generic txt2img and img2img entry points in addition to the four narrowly described Vmake AI operations. In an agent-skill context, this expands the reachable capability surface beyond the declared contract, making it possible for downstream callers or prompt-influenced flows to invoke broader image generation behavior that may bypass policy, billing, or user-expectation constraints.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes watermark removal and media restoration through a commercial external API, but it does not clearly warn that user media may be transmitted off-host to a third-party service or altered in ways that may be sensitive, irreversible, or policy-relevant. In an agent setting, weak disclosure increases the risk of users or host integrators invoking the skill without informed consent, which can create privacy, compliance, and trust issues.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The script silently reads Feishu app credentials from the user's local OpenClaw config and uses them to authenticate outbound actions. While local credential use is common, doing so without disclosure in a skill that is not supposed to be a messaging tool increases the risk of surprise credential use and unauthorized actions on behalf of the tenant.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list contains broad phrases like 'remove watermark', 'image restoration', and 'upscale image' that are likely to match many ordinary user requests. In an agent environment, this can cause the skill to activate unexpectedly and route user media to an external paid processing service, creating consent, privacy, and quota-consumption risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest states that the skill uses a paid external API and processes user images/videos, but it does not clearly warn that media may be transmitted off-platform using tenant credentials. This omission can lead to users or host agents invoking the skill without informed consent, exposing sensitive media and incurring unexpected charges.

External Transmission

Medium
Category
Data Exfiltration
Content
}
    content_type = content_type_map.get(ext, "image/jpeg")

    resp = requests.post(
        "https://open.feishu.cn/open-apis/im/v1/images",
        headers={"Authorization": f"Bearer {token}"},
        data={"image_type": "message"},
Confidence
88% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
else:
        receive_id_type = "open_id"

    resp = requests.post(
        f"https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type={receive_id_type}",
        headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"},
        json={
Confidence
97% confidence
Finding
requests.post( f"https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type={receive_id_type}", headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"},

Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)

Low
Category
Supply Chain
Confidence
67% confidence
Finding
pytest

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
requests

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal