ClawHub

AI Image Generator & Splitter

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent local AI image tool, but its unauthenticated local web server exposes file, credential, shutdown, and host-interaction capabilities that need review before use.

Install only for a trusted single-user local setup. Do not expose port 2688 to a LAN or the internet, avoid using sensitive API keys or private images, and assume anything entered as a prompt or uploaded as an image may be sent to external providers. Review or disable the upload-by-path, open-folder, shutdown, and prompt/config editing endpoints before running it in any shared or production environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (26)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The popup manager fetches HTML from a dynamically constructed component path, injects it into the DOM with .html(), and then explicitly executes embedded scripts via eval(). If an attacker can influence the url parameter, component contents, or upstream component storage, this becomes arbitrary script execution in the application's origin, enabling XSS, session theft, DOM compromise, or privileged action execution.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The /api/open-folder endpoint allows any remote caller to trigger OS-level actions on arbitrary existing paths via child_process.exec. Even though the path is wrapped in quotes, this still exposes a dangerous local capability to unauthenticated users and may enable command injection on some platforms or abuse for unauthorized interaction with the host desktop/session.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The /api/shutdown endpoint lets any caller terminate the server process without authentication or authorization. This is a trivial remote denial-of-service primitive and is especially dangerous because the service also enables CORS broadly, making accidental or cross-origin triggering more plausible.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The handler copies caller-supplied secrets such as api_key, platform_token, and model_api_key into process.env, which is global mutable state shared across all requests in the Node.js process. In a multi-user or concurrent environment, one user's credentials can overwrite another's, causing cross-tenant credential leakage, confused-deputy behavior, and accidental use of the wrong secret in later operations such as polling.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The handler accepts attacker-controlled local file paths via data.file_path or data.base64 and reads the file directly from disk before uploading it to a remote server. This creates an arbitrary file read and exfiltration primitive that could expose sensitive files such as SSH keys, configuration files, tokens, or system data if an untrusted caller can reach this method.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code fetches arbitrary HTTP/HTTPS URLs and then processes and re-uploads the response body, giving the service outbound network retrieval capability beyond normal file upload. This can be abused for SSRF-style access to internal services or to make the server retrieve untrusted content, especially because there is no hostname/IP allowlist or blocklist.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The relative-path handler strips a /images/ prefix and then uses path.join(basePath, relativePart) without canonical path validation. An attacker can supply traversal segments like /images/../../.ssh/id_rsa to escape the intended image directory, read arbitrary local files, and then have them uploaded to the remote server.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documentation instructs users to configure third-party API keys and use image generation and prompt-generation features, but it does not clearly warn that prompts, uploaded reference images, and possibly related metadata will be transmitted to external AI/LLM services. This creates a real privacy and data-handling risk because users may upload sensitive images or confidential text without informed consent, especially in a locally hosted tool that may otherwise appear self-contained.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The markdown advertises deletion, open-folder, and shutdown capabilities and lists corresponding API endpoints, but provides no safety warning, access-control note, or indication that these actions should be restricted to trusted local users. In context, these functions can affect local files and service availability, so undocumented exposure increases the chance that operators deploy the skill insecurely or assume the endpoints are harmless.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The documentation explicitly advertises deletion and local file-system access features such as deleting works and opening a file directory, but it does not warn users about the effect these actions can have on local data. In a skill that runs a local web service and manages user files, missing safety guidance increases the risk of accidental destructive actions or misuse, especially if the related endpoints are exposed without strong safeguards.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The component transmits both user-provided prompt text and an API key from browser storage to `/api/generate-prompt` without any visible consent, disclosure, or indication of where the data will be sent or processed. Sending secrets from client-side storage in application requests increases the risk of credential exposure through browser compromise, logs, intermediaries, debugging tools, or backend mishandling, especially because the key appears to be user-supplied and sensitive.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Reading a long-lived API key from `localStorage` is unsafe because any script running in the page origin, including injected script via XSS or compromised third-party code, can access it. The lack of disclosure is secondary; the core issue is insecure client-side handling of a sensitive credential in a persistently readable store.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code stores API keys and tokens in localStorage, which is readable by any script executing in the page origin, including injected scripts from an XSS flaw or a compromised third-party dependency. Although the UI notes that keys are stored locally, it does not provide a meaningful security warning or use a safer storage model for secrets, making credential theft materially easier if the frontend is ever exposed to script injection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The component reads a locally stored API key from localStorage and automatically transmits it to `/api/poll/${taskId}` when the retry action is clicked, without any visible disclosure that a sensitive credential will be sent. In this file, any script injection vulnerability elsewhere in the app could also access that key from localStorage, so storing and forwarding it this way increases exposure and makes credential misuse easier.

Missing User Warnings

Low
Confidence
87% confidence
Finding
Clicking the displayed path invokes `openFolder('${work.path}')`, which sends the path to `/api/open-folder` and triggers a host-level file explorer action without confirmation or clear warning. Because `work.path` is backend-provided data rendered into an inline event handler, this creates a risky bridge from untrusted task data to a system-affecting operation, potentially exposing sensitive filesystem locations or enabling abuse if the backend endpoint is weakly validated.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The UI sends a POST request to '/api/open-folder' with 'work.path' and does so immediately on button click, without any visible confirmation or client-side restriction. If an attacker can influence 'work.path' via backend data, this could trigger opening arbitrary local filesystem locations, which is risky in a desktop or hybrid app context because it can expose sensitive directories or be abused for social engineering and privacy leakage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The text explicitly states that API keys and tokens are stored in the browser's localStorage, which is a persistent client-side store accessible to any script running in the origin. If the application is affected by XSS, malicious third-party scripts, or a compromised browser environment, these secrets can be extracted and abused to access paid APIs, upload services, or user data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The text explicitly states that API keys and platform tokens are stored in browser localStorage. localStorage is accessible to any script running in the origin, so if the application has an XSS flaw, injected or third-party scripts could read and exfiltrate these credentials; the absence of any warning may also mislead users into treating this as low risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The page reads API credentials from localStorage and sends them to the backend in a normal application request. Storing secrets in localStorage exposes them to any JavaScript running in the origin, so any XSS or compromised frontend dependency could steal long-lived keys; additionally, transmitting them from browser state to the server broadens exposure and makes credential handling less explicit to users.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The page loads API keys and tokens from browser localStorage, which is readable by any JavaScript executing in the origin, including injected scripts or compromised third-party code. Persisting long-lived secrets in localStorage increases exposure because the values remain available across sessions and are not protected as HttpOnly cookies or server-side secrets.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This function writes API credentials and tokens directly into localStorage, creating persistent client-side storage of secrets. If the application ever suffers XSS, malicious browser extensions, shared-device access, or same-origin script compromise, these credentials can be trivially extracted and abused.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This route writes multiple user-supplied secrets and configuration values into global process.env, creating shared mutable state across all users and requests. In a multi-user or concurrent environment, one caller can overwrite credentials or save paths used by another request, causing cross-user mix-ups, unauthorized API usage, or writes to unintended filesystem locations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This endpoint executes a local OS command based on attacker-controlled input and performs the action immediately without authentication or confirmation. Even aside from user-warning concerns, exposing filesystem browsing and shell-backed process launch to remote callers is a real security issue because it grants host interaction capabilities unrelated to normal web API behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Storing sensitive credentials from incoming requests in environment variables is unsafe because environment variables are process-wide and often implicitly trusted, logged, inherited, or reused by unrelated code. This can expose secrets to other requests, background tasks, crash dumps, or diagnostic tooling, especially since the code later relies on those globals for follow-up operations.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The upload flow explicitly supports local absolute paths, relative local paths, and remote URLs, but there is no visible consent, warning, or policy gate before local file access and remote transmission occur. In a skill/agent context, that increases the risk of silent data exfiltration because users may expect image upload behavior, not arbitrary file reading and forwarding.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal