ClawHub
Back to skill

Security audit

Fooocus Image Generation Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent local Fooocus image-generation helper, but its setup and startup scripts have unsafe shell-command handling, broad install/delete authority, and some exposure risks users should review.

Install only if you are comfortable with local Python scripts that download third-party code, install packages, and run a local service. Use a virtual environment, keep Fooocus bound to localhost, avoid --listen and --share unless you understand the exposure, do not pass untrusted path or preset values, and use --force only on a verified Fooocus install directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Start in background
    if sys.platform == "win32":
        subprocess.Popen(
            cmd, cwd=path, shell=True,
            creationflags=subprocess.CREATE_NEW_CONSOLE
        )
Confidence
98% confidence
Finding
subprocess.Popen( cmd, cwd=path, shell=True, creationflags=subprocess.CREATE_NEW_CONSOLE )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
creationflags=subprocess.CREATE_NEW_CONSOLE
        )
    else:
        subprocess.Popen(
            cmd, cwd=path, shell=True,
            stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL
        )
Confidence
98% confidence
Finding
subprocess.Popen( cmd, cwd=path, shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Run a shell command and return output"""
    try:
        if capture:
            result = subprocess.run(
                cmd, shell=True, cwd=cwd, capture_output=True, text=True, timeout=timeout
            )
            return result.returncode == 0, result.stdout, result.stderr
Confidence
99% confidence
Finding
result = subprocess.run( cmd, shell=True, cwd=cwd, capture_output=True, text=True, timeout=timeout )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
            return result.returncode == 0, result.stdout, result.stderr
        else:
            result = subprocess.run(cmd, shell=True, cwd=cwd, timeout=timeout)
            return result.returncode == 0, "", ""
    except subprocess.TimeoutExpired:
        return False, "", "Command timed out"
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, cwd=cwd, timeout=timeout)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Run a shell command"""
    try:
        if capture:
            result = subprocess.run(
                cmd, shell=True, cwd=cwd, capture_output=True, text=True, timeout=timeout
            )
            return result.returncode == 0, result.stdout, result.stderr
Confidence
97% confidence
Finding
result = subprocess.run( cmd, shell=True, cwd=cwd, capture_output=True, text=True, timeout=timeout )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
            return result.returncode == 0, result.stdout, result.stderr
        else:
            result = subprocess.run(cmd, shell=True, cwd=cwd, timeout=timeout)
            return result.returncode == 0, "", ""
    except subprocess.TimeoutExpired:
        return False, "", "Command timed out"
Confidence
94% confidence
Finding
result = subprocess.run(cmd, shell=True, cwd=cwd, timeout=timeout)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill instructs the agent to modify its own SKILL.md after each use based on user feedback and newly learned experience. Self-modifying skill instructions create a prompt-injection and persistence risk: a malicious user can poison future behavior, alter security boundaries, or insert unsafe instructions that survive beyond a single session.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script is presented as an environment checker but also installs packages, clones a remote repository, and starts a local server. That expands its privileges and attack surface significantly beyond passive inspection, which is risky in an agent skill because invoking a 'check' action can unexpectedly modify the host and execute remote code.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill includes repository cloning and package installation logic that fetches and executes third-party software from the network. In the context of an agent skill, this creates a supply-chain and remote-code-execution pathway that is more dangerous than the declared image-generation purpose suggests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick reference directs the agent to install dependencies and download large model artifacts automatically, but does not require consistent user confirmation before network access, package installation, or substantial disk usage. In an agent setting, this can lead to unapproved software changes, supply-chain exposure from package retrieval, bandwidth and storage consumption, and execution of untrusted install paths on the user's machine.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide documents `--listen` and `--share` as normal startup flags without any warning that they expose the Fooocus/Gradio service beyond localhost. In a local image-generation skill, users may reasonably assume operation stays private; enabling these flags can unintentionally expose the UI, prompts, uploaded images, and possibly model-management functionality to other hosts or the public internet.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
`--force` causes recursive deletion of the target path without an interactive confirmation or additional safety checks. If the path is mistaken, manipulated, or unexpectedly resolves to an important directory, the script can destroy local data; in installer context this is more dangerous because users may run it casually with elevated trust.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.