ClawHub

Jiekou Multimodal

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned for Jiekou multimodal API use, but it needs review because it normalizes unsafe API-key handling and sends user media to an external service with weak privacy disclosure.

Install only if you intend to use Jiekou's cloud API and are comfortable sending prompts and media to api.jiekou.ai. Do not paste API keys into chat; use a dedicated low-privilege key via a protected secret/config mechanism, restrict permissions on any local config file, and review Jiekou pricing and privacy terms before submitting sensitive media or running paid generation tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs users to place API keys directly into chat prompts, which is unsafe because conversational input may be logged, retained, surfaced to models, or accidentally echoed back in responses. This normalizes insecure secret handling and materially increases the chance of credential disclosure and account abuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents sending user prompts, image URLs, audio/text payloads, and bearer credentials to an external third-party API, but does not clearly warn users that their data will leave the local environment. In a multimodal skill, that omission matters because prompts and media may contain sensitive personal, business, or regulated data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API reference instructs users to send user-provided images, audio, video, and text to a third-party service, including by URL or Base64, without any notice about privacy, retention, consent, or sensitive-data handling. In a multimodal skill, this can lead to unintentional transmission of personal or confidential media to an external processor, creating privacy, compliance, and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples instruct sending user-supplied images, audio, and video URLs to external APIs without any disclosure, consent prompt, or privacy warning. This can lead to unintentional third-party sharing of sensitive biometric, personal, or confidential content, especially in multimodal workflows where users may not realize their media is being transmitted off-platform.

Ssd 3

Medium
Confidence
99% confidence
Finding
Telling users to embed API keys in natural-language requests creates a strong risk that secrets will be processed as ordinary prompt content, captured in transcripts, logs, analytics, or model context, and potentially re-exposed. In agent settings this is especially dangerous because downstream tools or summaries may inadvertently include the credential.

Ssd 3

Medium
Confidence
96% confidence
Finding
The key-resolution logic explicitly instructs the agent to inspect user messages for API keys, which institutionalizes secret collection from chat and increases the likelihood of sensitive credentials being ingested, stored, or mishandled. Even if intended for convenience, this design weakens separation between secrets and prompt data.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal