ClawHub

Atlas Cloud — AI Image, Video & LLM Generation API

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud AI API helper that sends prompts, media, and chat requests to Atlas Cloud, with no hidden persistence or destructive behavior found.

Install only if you are comfortable sending prompts, media URLs, uploaded files, and chat messages to Atlas Cloud for processing and having generated outputs hosted on its CDN. Use revocable API keys, monitor billing, avoid confidential or regulated data unless your policy permits it, and be aware that the image script can also use a Gemini API key if you explicitly use the Google provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares environment-variable requirements and clearly instructs users to make authenticated network requests, yet the static finding indicates those capabilities are not properly declared as permissions. That creates a transparency and governance problem: the skill can access secrets and transmit data externally without clear permission scoping, increasing the chance of unreviewed secret use and unexpected outbound data flow.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The file markets broad functionality that is not actually implemented, including unified multi-provider support, LLM access, and pricing comparison behavior. Security-wise, this is dangerous because users and orchestration systems may route unrelated requests to this skill under false assumptions, causing unintended external transmission of prompts, media, or credentials to a third-party service.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation language is extremely broad and is designed to match many generic AI-related requests, not just narrow Atlas Cloud operations. In context, that broad matching increases the probability that sensitive user prompts, files, or development tasks are routed to this third-party API skill unnecessarily, expanding data-exposure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file instructs users to send prompts and an API key to a third-party remote service but does not warn that prompts, system messages, and possibly sensitive user data will leave the local environment. In an agent skill context, this omission can lead users to unknowingly transmit confidential data to Atlas Cloud.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs users to send prompts and optional image URLs to a third-party API but provides no warning that these inputs may contain sensitive business, personal, or copyrighted data. In a skill designed to be copied into real projects, this omission can cause unintended disclosure because users may assume sample code is safe for arbitrary inputs.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Submit task
curl -s -X POST "https://api.atlascloud.ai/api/v1/model/generateImage" \
  -H "Authorization: Bearer $ATLASCLOUD_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model": "bytedance/seedream-v5.0-lite", "prompt": "A cherry blossom garden", "size": "2048*2048"}'
Confidence
97% confidence
Finding
curl -s -X POST "https://api.atlascloud.ai/api/v1/model/generateImage" \ -H "Authorization: Bearer $ATLASCLOUD_API_KEY" \ -H "Content-Type: application/json" \ -d '{"model": "bytedance/seedream-

External Transmission

Medium
Category
Data Exfiltration
Content
| Type | Endpoint | Method |
|------|----------|--------|
| **Image Generation** | `https://api.atlascloud.ai/api/v1/model/generateImage` | POST |
| **Video Generation** | `https://api.atlascloud.ai/api/v1/model/generateVideo` | POST |
| **Poll Result** | `https://api.atlascloud.ai/api/v1/model/prediction/{id}` | GET |
| **LLM Chat** | `https://api.atlascloud.ai/v1/chat/completions` | POST |
Confidence
95% confidence
Finding
https://api.atlascloud.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
| Type | Endpoint | Method |
|------|----------|--------|
| **Image Generation** | `https://api.atlascloud.ai/api/v1/model/generateImage` | POST |
| **Video Generation** | `https://api.atlascloud.ai/api/v1/model/generateVideo` | POST |
| **Poll Result** | `https://api.atlascloud.ai/api/v1/model/prediction/{id}` | GET |
| **LLM Chat** | `https://api.atlascloud.ai/v1/chat/completions` | POST |
| **Model List** | `https://console.atlascloud.ai/api/v1/models` | GET (no auth) |
Confidence
95% confidence
Finding
https://api.atlascloud.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
|------|----------|--------|
| **Image Generation** | `https://api.atlascloud.ai/api/v1/model/generateImage` | POST |
| **Video Generation** | `https://api.atlascloud.ai/api/v1/model/generateVideo` | POST |
| **Poll Result** | `https://api.atlascloud.ai/api/v1/model/prediction/{id}` | GET |
| **LLM Chat** | `https://api.atlascloud.ai/v1/chat/completions` | POST |
| **Model List** | `https://console.atlascloud.ai/api/v1/models` | GET (no auth) |
Confidence
94% confidence
Finding
https://api.atlascloud.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
| **Image Generation** | `https://api.atlascloud.ai/api/v1/model/generateImage` | POST |
| **Video Generation** | `https://api.atlascloud.ai/api/v1/model/generateVideo` | POST |
| **Poll Result** | `https://api.atlascloud.ai/api/v1/model/prediction/{id}` | GET |
| **LLM Chat** | `https://api.atlascloud.ai/v1/chat/completions` | POST |
| **Model List** | `https://console.atlascloud.ai/api/v1/models` | GET (no auth) |

All requests (except Model List) require:
Confidence
94% confidence
Finding
https://api.atlascloud.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Submit task
curl -s -X POST "https://api.atlascloud.ai/api/v1/model/generateImage" \
  -H "Authorization: Bearer $ATLASCLOUD_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model": "bytedance/seedream-v5.0-lite", "prompt": "A cherry blossom garden", "size": "2048*2048"}'
Confidence
97% confidence
Finding
https://api.atlascloud.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
# Returns {"code": 200, "data": {"id": "prediction_xxx"}}

# Poll result (every 3 seconds)
curl -s "https://api.atlascloud.ai/api/v1/model/prediction/{prediction_id}" \
  -H "Authorization: Bearer $ATLASCLOUD_API_KEY"
# When done: {"data": {"status": "completed", "outputs": ["https://cdn..."]}}
```
Confidence
96% confidence
Finding
https://api.atlascloud.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Video Generation

```bash
curl -s -X POST "https://api.atlascloud.ai/api/v1/model/generateVideo" \
  -H "Authorization: Bearer $ATLASCLOUD_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model": "kwaivgi/kling-v3.0-std/text-to-video", "prompt": "A rocket launching", "duration": 5, "aspect_ratio": "16:9"}'
Confidence
96% confidence
Finding
https://api.atlascloud.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
client = OpenAI(
    api_key="your-atlascloud-api-key",
    base_url="https://api.atlascloud.ai/v1",
)
response = client.chat.completions.create(
    model="qwen/qwen3.5-397b-a17b",
Confidence
96% confidence
Finding
https://api.atlascloud.ai/

Context Leakage

High
Category
Data Exfiltration
Content
| `atlas_get_model_info` | Get detailed API docs and schema for a model |
| `atlas_generate_image` | Submit image generation task |
| `atlas_generate_video` | Submit video generation task |
| `atlas_chat` | Send chat completion request |
| `atlas_get_prediction` | Check generation status and get results |
| `atlas_quick_generate` | One-step: auto-find model + generate |
Confidence
92% confidence
Finding
Send chat

External Transmission

Medium
Category
Data Exfiltration
Content
"""
    # Step 1: Submit generation task
    payload = {"model": model, "prompt": prompt, **kwargs}
    resp = requests.post(f"{BASE_URL}/model/generateVideo", json=payload, headers=HEADERS, timeout=50)
    resp.raise_for_status()
    data = resp.json()
Confidence
94% confidence
Finding
requests.post(f"{BASE_URL}/model/generateVideo", json=

External Transmission

Medium
Category
Data Exfiltration
Content
---

## cURL

### Text-to-Video
Confidence
90% confidence
Finding
cURL ### Text-to-Video ```bash PREDICTION_ID=$(curl -s -X POST "https://api.atlascloud.ai/api/v1/model/generateVideo" \ -H "Authorization: Bearer $ATLASCLOUD_API_KEY" \ -H "Content-Type: applica

External Transmission

Medium
Category
Data Exfiltration
Content
### Image-to-Video

```bash
PREDICTION_ID=$(curl -s -X POST "https://api.atlascloud.ai/api/v1/model/generateVideo" \
  -H "Authorization: Bearer $ATLASCLOUD_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
curl -s -X POST "https://api.atlascloud.ai/api/v1/model/generateVideo" \ -H "Authorization: Bearer $ATLASCLOUD_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Text-to-Video

```bash
PREDICTION_ID=$(curl -s -X POST "https://api.atlascloud.ai/api/v1/model/generateVideo" \
  -H "Authorization: Bearer $ATLASCLOUD_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
89% confidence
Finding
https://api.atlascloud.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
### Image-to-Video

```bash
PREDICTION_ID=$(curl -s -X POST "https://api.atlascloud.ai/api/v1/model/generateVideo" \
  -H "Authorization: Bearer $ATLASCLOUD_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
https://api.atlascloud.ai/

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal