ClawHub

clawdess

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real media companion, but it needs review because it can send personal images and prompts to third-party AI services and silently cache generated media locally.

Review before installing. Use only images, prompts, and voice text you are comfortable sending to third-party AI providers, use least-privilege API keys, configure the agent to ask before generating any media, and periodically clear ~/.openclaw/media/clawdess if you do not want generated content retained locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes a Python script with access to environment variables, shell execution, local file reads, and outbound network calls, yet it does not declare permissions or present this capability transparently. This weakens platform trust boundaries and can let a seemingly simple companion skill exfiltrate secrets, fetch remote content, or manipulate local files without clear user or reviewer awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The public description frames the skill as a romantic companion, but the actual behavior is a general-purpose media generation wrapper that accepts arbitrary prompts, external image URLs, multiple provider backends, and local file caching. That mismatch can mislead users and reviewers about the real data flows and capabilities, increasing the chance that sensitive images or prompts are sent to third parties without informed consent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Triggers such as 'what are you doing?', 'how are you doing?', and 'where are you?' are ordinary conversational phrases that can easily appear in unrelated contexts. Overbroad invocation rules can cause the skill to activate unexpectedly and send prompts or images to external services without the user clearly intending to invoke media generation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The voice activation logic includes broad conditions like 'talk to me' and 'any situation where a voice message would be better than text,' which are subjective and can be over-applied by an agent. This increases the risk of unintended third-party TTS use, unexpected charges, and surprising behavior in normal chat flows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill routes user prompts, reference images, and generated-media requests to several third-party providers, but the skill text does not provide a user-facing privacy warning or consent mechanism. Because the content is intimate in nature and may include personal images, the absence of clear disclosure materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code downloads arbitrary remote content from a supplied URL and writes it to a persistent cache path without validating the source, size, content type, or obtaining explicit user consent. In a companion skill this may be expected functionally, but it still creates risk of silent storage abuse, unexpected content persistence, and unsafe retrieval from attacker-controlled URLs if upstream responses are compromised.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code automatically downloads the returned video/media to a local cache directory without any user-facing notice, consent step, or indication of where the content will be stored. In a skill centered on intimate/personalized media, silent local persistence increases privacy risk because sensitive or explicit content may remain on disk unexpectedly and be accessible to other local users, backups, or forensic tools.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal