ClawHub

LiblibAI Image & Video Gen

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a normal LiblibAI image and video generation integration, with the main user consideration being that prompts and media URLs are sent to LiblibAI.

Install this if you intend to use LiblibAI for generation. Do not submit confidential prompts, private image URLs, or sensitive media unless you are comfortable sharing that content with LiblibAI and have reviewed its data handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger text is broad enough to match many common requests for creating images or videos, which can cause this skill to activate unexpectedly. In context, that means ordinary user prompts and possibly user-supplied media may be sent to a third-party generation API when the user did not specifically request LiblibAI, creating privacy, consent, and routing risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs use of API credentials and external generation endpoints but does not warn that prompts, reference images, start frames, and other media will be transmitted to LiblibAI. This is dangerous because users may unknowingly send sensitive text or images to a third party, and the skill also references externally hosted image URLs, further expanding data exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This client sends user prompts and user-supplied media URLs to a third-party service without any built-in notice, consent checkpoint, or minimization. In an agent setting, users may not realize their content is leaving the local environment, which creates privacy and compliance risk, especially if prompts or URLs contain sensitive information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal