ClawHub

Clawdy Selfie

Security checks across malware telemetry and agentic risk

Overview

The skill is a media generator, but it does more than its description clearly says, including public uploads, channel posting, and an unsafe command execution path.

Review this before installing. Only use it if you are comfortable with prompts, reference images, generated media, captions, and channel names being sent to external services and OpenClaw destinations. Avoid untrusted channel names or captions, and prefer a revised version that documents every remote service, removes shell interpolation, avoids public temporary file hosts, and asks before posting media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared purpose is narrowly framed as generating a selfie with a local helper script and `FAL_KEY`, but the static finding indicates materially broader behavior: third-party uploads, messaging-channel delivery, video generation, use of another API key, and generic image generation paths. That mismatch is dangerous because users and reviewers cannot accurately assess where data goes, what credentials are used, or what side effects occur.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill description says it generates a selfie, but the script also sends the resulting file to an arbitrary OpenClaw channel. That hidden side effect expands the skill from local content generation to outbound messaging, which can cause unintended posting, spam, or data disclosure if the caller does not realize a send will occur.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Posting generated content to a channel is a materially different capability than merely generating an image. Because `CHANNEL` is user-controlled and there is no policy check, approval gate, or allowlist, the skill can be used to send content into arbitrary destinations through the agent environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it generates a selfie with a local helper script, but the implementation also transmits the generated image to messaging channels through OpenClaw. This is a capability mismatch that can surprise users and cause unintended data disclosure or message delivery beyond the declared scope.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest states the skill uses an installed local helper script, but the code actually performs direct fal.ai client/network calls. This discrepancy hides the true trust boundary and external data flow, which can mislead users about where prompts and API credentials are sent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code builds a shell command with user-controlled channel, message, and media fields and executes it via exec. Even though values are wrapped in double quotes, shell metacharacter expansion can still lead to command injection, making this materially dangerous beyond the stated selfie-generation purpose.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill accesses OpenClaw gateway settings and can deliver outbound messages, which exceeds the narrow documented selfie-generation scope. This broadens the skill's authority and can leak generated content, captions, and destination metadata to external or semi-external systems without clear disclosure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script's behavior materially exceeds the declared skill purpose: it generates a video, calls external APIs, and sends the result to a channel, while the metadata describes only generating a selfie with a local helper script and FAL_KEY. This mismatch is dangerous because it hides network transmission and messaging side effects from users and reviewers, increasing the chance of undisclosed data handling and abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script uploads a local reference image to public third-party file hosts (file.io and 0x0.st) in order to obtain a URL, even though this disclosure is not part of the stated skill purpose. This creates a direct confidentiality risk because a local asset is copied to unaffiliated public infrastructure, potentially exposing sensitive or proprietary image data and creating an uncontrolled retention trail.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script sends the generated video to an OpenClaw channel, introducing a messaging/exfiltration capability not justified by the manifest. This is dangerous because it can distribute generated content to recipients or channels without clear authorization, turning a media-generation helper into a content delivery mechanism.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Referencing use of a configured `FAL_KEY` without a user-facing warning obscures that the skill will access a secret and send requests to an external service. In an agent context, hidden credential use increases the risk of unauthorized API consumption, unexpected billing, and data being transmitted off-host without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill tells the agent to run a local helper script and use a networked API, but the user-facing description does not warn that code will execute locally and may perform external requests. That omission is risky because seemingly simple content-generation requests can trigger shell execution and remote data transfer beyond what a user expects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits the reference image data and user prompt to a third-party API (`fal.run`) without any explicit disclosure or consent mechanism in the skill itself. In an agent setting, undisclosed external transmission is security-relevant because users may assume processing is local while their content and metadata are sent off-platform.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
User-controlled values are interpolated directly into a shell command passed to exec. This creates a classic command-injection path that could allow arbitrary command execution in the agent environment, which is especially dangerous because channel and caption are CLI inputs and media derives from external service output.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The reference image is uploaded externally without any user-facing disclosure or consent prompt. Even if the image is expected by the workflow, silently publishing it to temporary public hosting increases privacy risk because users are not informed that local content will leave the system and may become publicly accessible.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits prompt and image URL data to the Seedance API without explicit disclosure that user inputs and reference material are being sent to an external service. This is dangerous because prompts and associated media may contain sensitive information, and undisclosed third-party transmission undermines informed consent and data-governance expectations.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal