ClawHub

图片视频生成

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it advertises, but it sends credentials and media over plaintext HTTP and creates default background watchers that can read session data and post results back into chats or transcripts.

Install only if you trust the EasyClaw relay and are comfortable sending prompts, uploaded media, API tokens, and task results through this skill. Prefer HTTPS-only configuration, avoid sensitive reference files, use --no-watch when background delivery is not needed, inspect created cron jobs, and rotate any credentials that may have been exposed via HTTP, query strings, or command-line arguments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Tainted flow: 'request' from os.environ.get (line 443, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)
    request = urllib.request.Request(f"{url}?{query}", method="GET")
    try:
        with urllib.request.urlopen(request) as response:
            payload = _parse_json_response(response)
    except urllib.error.HTTPError:
        return []
Confidence
96% confidence
Finding
with urllib.request.urlopen(request) as response:

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script performs outbound chat replies using device credentials and event identifiers, which is materially beyond a media-generation skill's stated purpose. In an agent context, this creates an unexpected communication channel that can send task results into chats without clear user mediation, increasing the risk of unauthorized message delivery, data leakage, or misuse of stored bot/device tokens.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code enumerates inbound events and resolves event context from message ID, sender ID, and bot ID, which gives the skill access to chat metadata unrelated to image/video generation. That broader access can be abused to correlate users and conversations, pick reply targets heuristically, and send background notifications into conversations the user did not explicitly designate.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script appends assistant-authored content directly into local session transcripts and mutates the session store on disk, allowing background alteration of conversation history. In an agent environment this is more dangerous because it can silently inject messages that appear legitimate, influence later model behavior, tamper with audit trails, or overwrite/update arbitrary session paths if unsafe paths are supplied.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script’s advertised purpose is media generation, but it also provisions recurring task watchers via cron/OpenClaw after submission. That introduces persistence-like job scheduling and external follow-up behavior not clearly disclosed by the skill description, increasing the attack surface and creating opportunities for unintended background activity or notification exfiltration.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The hidden --notify-session-key and --notify-session-id parameters enable notification/session targeting while being suppressed from normal help output. In combination with automatic watch-job scheduling, this obscures a capability unrelated to basic image/video generation and could be abused to route task-status data to unintended sessions or conceal background automation from users.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file's behavior materially exceeds the declared image/video generation purpose by creating background cron jobs, crafting prompts for autonomous execution, and managing message delivery targets. In a media-generation skill, hidden task scheduling and messaging behavior is especially suspicious because it creates persistence and off-path actions unrelated to the advertised function.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code inspects local session stores, conversation history, and messaging metadata to derive reply targets and notification routing, despite the skill being presented as an image/video generator. This broad access to unrelated local data increases the chance of privacy leakage and unauthorized message targeting, and the mismatch in stated purpose makes the behavior more dangerous.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The CLI description says it creates a watcher for a VEO relay task, but the implementation also performs session appends and ClawX/easyclaw reply routing. This misleading scope can hide security-relevant behavior from reviewers and users, increasing the risk of unnoticed background messaging and persistence.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The default prompt instructs the agent to use a special trigger token ('-openclaw') that is not defined anywhere in the skill interface and has no documented activation constraints. Ambiguous control tokens can cause unintended tool routing, prompt injection-like behavior, or accidental invocation paths, especially in systems that parse magic strings or mode-switch directives from prompts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly states that when reference images are used, the script uploads image data via multipart and also sends a Base64 fallback, but it provides no user-facing warning, consent step, or data-handling guidance. In an image/video generation skill, users may reasonably supply local photos containing sensitive personal or proprietary content, so silent transmission increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup instructions direct users to obtain and configure a platform token, including fallback variable names for API keys and secrets, but provide no warning that these credentials are sensitive or must be stored and handled securely. This increases the risk that users paste long-lived secrets into unsafe locations, logs, screenshots, shared configs, or source control, especially because the skill is designed for external model/service access and references non-HTTPS endpoints.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The client is hardcoded to use plain HTTP endpoints for both the API and user portal, while also sending authentication material via X-API-Token or X-API-Key/X-API-Secret headers. This exposes credentials and request/response data to interception or modification by any network attacker on the path, which is especially dangerous because this skill is designed to call remote generation services automatically.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code sends credential-bearing requests containing device tokens to remote endpoints derived from runtime parameters, without any in-code guardrails about destination trust or explicit user disclosure. In this skill context, that is more concerning because the declared purpose is media generation, so operators may not expect the skill to contact messaging backends and transmit authentication material during background task completion.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads platform API credentials from environment variables and injects them into generated watcher command lines. Command-line arguments are often exposed to process listings, logs, crash reports, and job definitions, so this can disclose secrets well beyond the intended runtime context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The network request includes device_token in the URL query string without any user-facing warning. Query parameters are commonly logged by servers and intermediaries, so this handling exposes long-lived messaging credentials and is particularly risky in a skill whose stated purpose does not justify messaging backend access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script can create, edit, and remove background cron jobs with no explicit confirmation, warning, or permission gate. Silent persistence is security-relevant because it enables ongoing execution and follow-up actions after the apparent user interaction has ended.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to obtain and use platform API tokens and defaults to plain HTTP endpoints (`http://easyclaw.bar/...`) without any credential-handling or transport-security warning. This creates a credible risk of token interception, accidental disclosure, and sending prompts/media over an unencrypted connection, especially because the skill explicitly normalizes base URL overrides and token-based access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal