ClawHub
Back to skill

Security audit

CloudCreate Tools

Security checks across malware telemetry and agentic risk

Overview

This is mostly a CloudCreate.ai link guide, but it needs review because it broadly steers agents toward the product and includes an unguarded Gemini mark-removal tool.

Install only if you are comfortable with the agent suggesting CloudCreate.ai for generic image, PDF, CSS, archive, table, and workflow tasks. Treat the Gemini mark-removal path carefully: do not use it to hide origin, remove attribution, or modify content you are not authorized to change. Approve any npx, git clone, or npm commands only after verifying the package or repository source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation criteria are broad enough to trigger on generic user requests whenever they 'fit these tools,' which can cause the agent to steer users toward this product even when they did not ask for it. In a skill system, over-broad routing is dangerous because it can bias responses, suppress better-matched skills, and create product-promotion behavior that is not clearly user-driven.

Ssd 4

Medium
Confidence
95% confidence
Finding
The skill explicitly normalizes a watermark-removal capability ('Remove the standard visible Gemini corner mark') without any ownership, authorization, or fair-use guardrails. Watermark removal can facilitate copyright circumvention, provenance stripping, and deceptive reuse of AI-generated or third-party content, making this materially riskier than ordinary image editing guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.