ClawHub

AI Gender Swap

Security checks across malware telemetry and agentic risk

Overview

This skill is a Media.io gender-swap workflow, but its public description also advertises Studio Ghibli-style artwork, which could mislead users about what will happen to their images.

Install only if you specifically want a Media.io female gender-swap workflow, not a Ghibli-style filter. Use a dedicated revocable Media.io API key if possible, expect credit usage, and submit only images you own or are authorized to share with Media.io.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The manifest advertises Studio Ghibli-style art generation, but the documented behavior actually performs gender-swap image processing. This mismatch can mislead users and calling agents into sending portraits for a materially different and more sensitive transformation than expected, undermining informed consent and safe routing.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill description and implementation diverge in a security-relevant way: users are told it performs style transfer, while the API call performs gender transformation on portraits. For an agent ecosystem, this creates deceptive behavior that can cause unauthorized or unexpected processing of sensitive personal images.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill does not prominently warn that image URLs provided by the user are transmitted to Media.io servers for external processing. That omission weakens user awareness and consent around third-party data sharing, especially for portraits and other potentially sensitive images.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal