ClawHub

PPIO Multimodal Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real PPIO multimodal connector, but it handles paid API keys and user media in ways users should review carefully before installing.

Review this skill before installing. Use it only if you intend to send prompts, images, audio, and generated task metadata to PPIO. Do not paste real API keys into chat; prefer a restricted key stored outside conversation history, protect ~/.ppio/config.json with appropriate file permissions, and avoid submitting private photos, meeting recordings, confidential business text, personal data, or regulated content unless PPIO processing is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The examples introduce combination tasks for image analysis and text summarization that are not declared in the skill description. This creates a capability/expectation mismatch that can cause the agent to process additional sensitive user content under undocumented behavior, weakening user consent and reviewability.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells users to place API keys directly into a shell command and persistent config file without any warning about shell history, file permissions, or accidental disclosure. This increases the chance of credential leakage through terminal history, screenshots, shared machines, backups, or overly permissive filesystem settings.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises multimodal generation and recognition through PPIO but does not clearly warn that prompts, images, audio, and related content will be sent to a third-party API. Users may unknowingly transmit sensitive personal, proprietary, or regulated data outside the local environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs users to authenticate with a Bearer API key but does not warn that the key is a secret that must be kept server-side and never embedded in client-side code, shared examples, or logs. In an agent skill context, omission of this guidance can lead developers to expose long-lived credentials in front-end apps or prompts, enabling unauthorized API usage and billing abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples transmit user-supplied images, audio, and text to a third-party service but provide no warning about privacy, consent, retention, or sensitivity of uploaded content. In a multimodal skill, users may send personal, confidential, or regulated data, so the lack of disclosure increases the risk of accidental data leakage to an external processor.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The examples repeatedly send user-provided images, audio, and text to external PPIO endpoints without any privacy notice, data-sharing disclosure, or consent step. This is risky because users may provide sensitive personal, biometric, or confidential content assuming local handling, while the skill normalizes third-party transmission.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The test documentation explicitly describes sending attached images, audio, text, and generated outputs to external PPIO endpoints, but does not mention any user-facing notice, consent, or privacy warning. In a multimodal skill, this increases the risk that users unknowingly transmit sensitive media or personal data off-system to a third-party service.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to extract API keys from user messages and prefer that source first, encouraging users to disclose secrets in plain chat text. Chat messages are often logged, retained, reviewed, or exposed to other components, making this a strong credential-handling anti-pattern with real exfiltration and reuse risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to read API keys directly from user messages before checking safer storage locations, which normalizes handling secrets in plain chat. This increases the chance of credential exposure through logs, transcripts, prompt injection side effects, or accidental reuse, especially because the skill is designed to operationalize third-party API access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal