ClawHub

Weryai Image Toolkits

Security checks across malware telemetry and agentic risk

Overview

This image-processing skill is mostly coherent, but it can upload arbitrary local files to WeryAI through image fields without enforcing image-only scope.

Install only if you are comfortable sending image inputs, URLs, and request metadata to WeryAI. Avoid using sensitive local paths, and do not let an agent pass arbitrary files as img_url or face_img_url; prefer explicit HTTPS image URLs or dry-run first to inspect uploadPreview.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as an image-analysis/transformation toolkit, but it accepts any non-http(s) path for media fields and uploads that local file to a remote API. The MIME inference explicitly supports audio, video, and arbitrary binary content, so a user or agent could unintentionally exfiltrate sensitive local files outside the expected image-only scope.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The MIME detection logic includes support for video, audio, and generic binary formats even though this skill is specifically for image tooling. That broad file handling increases the attack surface and makes it easier to misuse the skill as a generic file uploader to an external service.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The upload helper explicitly allows video, audio, and text/structured-text files even though the skill is described as an image toolkit. That mismatch expands the attack surface and enables unintended exfiltration or processing of non-image local files through the same upload path, especially because local paths are accepted and read from disk before upload.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The source resolver accepts arbitrary remote HTTP/HTTPS URLs and returns them directly instead of requiring controlled uploads or restricting to trusted image origins. In an image-processing skill, this can let downstream components fetch attacker-controlled URLs, creating SSRF-style behavior, insecure transport exposure over HTTP, and processing of unexpected non-image content from untrusted hosts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file instructs use of a third-party API with public image URLs and a bearer API key, but it does not disclose that user-supplied images and related metadata will be transmitted off-platform to WeryAI. In an image-processing skill, this omission can cause users or downstream agents to send sensitive images to an external service without informed consent or privacy review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guidance to keep all input asset URLs as public HTTPS URLs encourages making images externally accessible, which can expose private user content beyond the local system and beyond the intended audience. In this skill's context, many images may contain personal, confidential, or copyrighted material, so requiring public hosting increases privacy and data-leakage risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When a payload field contains a non-remote path, the code automatically uploads the referenced local file before submitting the job, but the real execution path provides no explicit user-facing warning or consent step at the moment of exfiltration. In an agent setting, this can cause sensitive local files to be sent to a third-party service contrary to user expectations.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal