ClawHub

Image Compression

Security checks across malware telemetry and agentic risk

Overview

The skill mainly compresses images, but its send helpers can immediately upload user-selected images to WeChat or Telegram and one helper runs an unreviewed hard-coded local script.

Use the compression-only script when you only want local resizing. Treat the WeChat and Telegram helpers as upload/send tools: verify the image path, recipient, and account before running them, and avoid the WeChat helper unless you have inspected and trust the hard-coded external WeChat script on your machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documentation includes examples for sending images to WeChat and Telegram but does not clearly warn users that files may be transmitted to external messaging services. This creates a privacy and data-handling risk because users may run the provided commands without appreciating that local images will leave the device and be shared with third-party platforms.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits a user-supplied image to WeChat immediately after compression without any explicit confirmation, preview, or destination verification. In an agent/skill context, this increases the risk of unintended data exfiltration because a mistaken path, automation misuse, or prompt-triggered invocation could send sensitive files to a chat target without the user's awareness at send time.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits a user-supplied image to Telegram via `openclaw message send` without any confirmation, disclosure, or logging that a network transfer to a third-party service will occur. This creates a privacy and data-handling risk because users may believe the script only performs local compression, while it actually exfiltrates image content to an external messaging platform.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal