ClawHub

ecommerce-image-suite

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate ecommerce image generator, but it needs review because it can send API keys and product prompts to arbitrary custom proxy URLs and partially prints key prefixes.

Install only if you are comfortable sending product descriptions, prompts, and provider credentials to the selected image service or to a proxy you fully trust. Avoid custom *_BASE_URL settings unless you control the endpoint, do not share provider-check output, and use least-privilege API keys that can be rotated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Tainted flow: 'req_url' from os.environ.get (line 146, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
req_url = url
        headers = {"Authorization": f"Bearer {key}", "Content-Type": "application/json"}

    resp = requests.post(
        req_url,
        headers=headers,
        json={
Confidence
98% confidence
Finding
resp = requests.post( req_url, headers=headers, json={ "contents": [{"parts": [{"text": prompt}]}], "generationConfig": { "responseM

Tainted flow: 'url' from os.environ.get (line 133, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def generate_stability(key: str, prompt: str, base_url: str = "", model: str = "") -> bytes:
    url = base_url or DEFAULT_URLS["stability"]
    resp = requests.post(
        url,
        headers={"Authorization": f"Bearer {key}", "Accept": "application/json"},
        files={"none": ""},
Confidence
97% confidence
Finding
resp = requests.post( url, headers={"Authorization": f"Bearer {key}", "Accept": "application/json"}, files={"none": ""}, data={"prompt": prompt, "output_format": "j

Tainted flow: 'url' from os.environ.get (line 133, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def generate_tongyi(key: str, prompt: str, base_url: str = "", model: str = "") -> bytes:
    """通义千问图像生成 — 同步接口(推荐,适用于 qwen-image-2.0-pro 等模型)。"""
    url = base_url or DEFAULT_URLS["tongyi"]
    resp = requests.post(
        url,
        headers={"Authorization": f"Bearer {key}", "Content-Type": "application/json"},
        json={
Confidence
97% confidence
Finding
resp = requests.post( url, headers={"Authorization": f"Bearer {key}", "Content-Type": "application/json"}, json={ "model": model, "input": {

Tainted flow: 'url' from os.environ.get (line 133, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def generate_doubao(key: str, prompt: str, base_url: str = "", model: str = "") -> bytes:
    """豆包 Seedream(火山方舟)— 使用 ARK_API_KEY 鉴权。"""
    url = base_url or DEFAULT_URLS["doubao"]
    resp = requests.post(
        url,
        headers={"Authorization": f"Bearer {key}", "Content-Type": "application/json"},
        json={
Confidence
97% confidence
Finding
resp = requests.post( url, headers={"Authorization": f"Bearer {key}", "Content-Type": "application/json"}, json={ "model": model, "prompt": prompt,

Tainted flow: 'img_url' from requests.post (line 232, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
data = resp.json()
    # 同步接口直接返回图片 URL
    img_url = data["output"]["choices"][0]["message"]["content"][0]["image"]
    return requests.get(img_url, timeout=60).content


def generate_doubao(key: str, prompt: str, base_url: str = "", model: str = "") -> bytes:
Confidence
93% confidence
Finding
return requests.get(img_url, timeout=60).content

Tainted flow: 'img_url' from requests.post (line 232, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
)
    resp.raise_for_status()
    img_url = resp.json()["data"][0]["url"]
    return requests.get(img_url, timeout=60).content


GENERATORS = {
Confidence
93% confidence
Finding
return requests.get(img_url, timeout=60).content

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill claims a constrained purpose—platform-specific ecommerce image generation—but the documented behavior includes provider enumeration, custom base URLs, API-key-related reporting, and post-processing behaviors not reflected in the high-level description. This mismatch reduces informed consent and can expose users to unexpected secret handling or external network destinations, especially when arbitrary proxy endpoints are supported.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document states that API keys do not pass through third-party servers, yet it explicitly supports arbitrary proxy base URLs for every provider. That contradiction is dangerous because users may trust the security statement and unknowingly send credentials and prompts to attacker-controlled or unvetted intermediaries.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads API keys from environment variables and includes a preview of each key in its JSON output. Even partial credential disclosure can aid secret identification, correlation across logs, and accidental leakage to users, telemetry systems, or CI/CD artifacts, and this behavior is not necessary to determine whether a provider is configured.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill hard-codes a model demographic as a "Young Chinese female model" rather than making the model identity optional or user-directed. This can cause biased or exclusionary outputs, override user expectations, and create compliance or brand-safety issues in a commercial image-generation workflow, especially when no user opt-in for ethnicity is provided.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document provides concrete examples that send user prompts and bearer API keys to third-party image providers but does not warn that product descriptions, uploaded content, or generated prompts may leave the local environment and be processed by external vendors. In an ecommerce image-generation skill, users may include proprietary product data, unreleased designs, or personal images, so omission of disclosure and privacy guidance creates a real data-handling risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Sensitive environment-derived values are partially disclosed in structured JSON without any warning or access control. This creates a realistic risk of credential fragments being exposed through console output, application logs, support bundles, or downstream systems that capture command output.

External Transmission

Medium
Category
Data Exfiltration
Content
**Key获取:** https://platform.openai.com/api-keys

```javascript
const response = await fetch("https://api.openai.com/v1/images/generations", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
86% confidence
Finding
fetch("https://api.openai.com/v1/images/generations", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
formData.append("aspect_ratio", "1:1");   // "1:1" | "16:9" | "9:16" etc
// formData.append("negative_prompt", "blurry, distorted");

const response = await fetch("https://api.stability.ai/v2beta/stable-image/generate/core", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${apiKey}`,
Confidence
85% confidence
Finding
fetch("https://api.stability.ai/v2beta/stable-image/generate/core", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
```javascript
// Step 1: 提交任务
const submitRes = await fetch(
  "https://dashscope.aliyuncs.com/api/v1/services/aigc/text2image/image-synthesis",
  {
    method: "POST",
Confidence
91% confidence
Finding
fetch( "https://dashscope.aliyuncs.com/api/v1/services/aigc/text2image/image-synthesis", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
**Key获取:** https://console.volcengine.com/ark → API Key管理

```javascript
const response = await fetch("https://ark.cn-beijing.volces.com/api/v3/images/generations", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
91% confidence
Finding
fetch("https://ark.cn-beijing.volces.com/api/v3/images/generations", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
**Key获取:** https://platform.openai.com/api-keys

```javascript
const response = await fetch("https://api.openai.com/v1/images/generations", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
Confidence
86% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
formData.append("aspect_ratio", "1:1");   // "1:1" | "16:9" | "9:16" etc
// formData.append("negative_prompt", "blurry, distorted");

const response = await fetch("https://api.stability.ai/v2beta/stable-image/generate/core", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${apiKey}`,
Confidence
85% confidence
Finding
https://api.stability.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal