ClawHub

qwen-omni-multimodal

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Qwen Omni cloud API wrapper that sends user-selected text and media to Aliyun DashScope and optionally saves local session history.

Install only if you are comfortable sending selected prompts, images, audio, and video to Alibaba Cloud DashScope. Prefer an environment variable or secret manager for the API key, keep any config.json private, verify the base URL is trusted, use --dry-run for previews, and clear saved sessions when they may contain private material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
89% confidence
Finding
The documentation states that API credentials may be sourced from environment variables or a local config.json file, but it does not warn that these secrets require careful storage, exclusion from version control, and redaction from logs. In a skill intended for agent use, this omission can lead operators to store long-lived keys insecurely or expose them through local files and debugging output.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file explains that text, images, audio, and video are sent to a remote DashScope API, but it does not clearly warn users that local multimodal content will leave the host and be processed by a third-party service. For a multimodal skill handling potentially sensitive recordings, screenshots, or videos, this omission can cause unintended disclosure of personal, confidential, or regulated data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal