ClawHub

OpenClaw Selfie

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its image-generation purpose, but it needs Review because its helper can send service keys to non-Tuqu URLs and its payment and face-photo workflows lack clear safeguards.

Install only if you trust the Tuqu provider and are comfortable sending prompts, images, face photos, and role-specific service keys to it. Avoid absolute URLs, custom base URLs, and query-string credentials; require explicit confirmation before paid generation, recharge, or deletion; and clarify retention and deletion expectations before uploading real face photos.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The helper allows `path` to be a full `http://` or `https://` URL, and when combined with `--auth-mode` and `--service-key` it will send authentication headers or body credentials to any attacker-controlled host. In a skill that is supposed to operate only against tuqu.ai endpoints, this creates a server-side data exfiltration primitive and expands the tool into a generic authenticated HTTP client.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
By accepting arbitrary absolute URLs, this script effectively exposes a generic outbound HTTP capability rather than a narrowly scoped helper for the documented tuqu.ai APIs. In agent settings, overbroad network primitives materially increase abuse potential because prompts or tool misuse can redirect requests and leak data or perform unintended network actions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The description includes broad trigger phrases like generic image requests and common Chinese phrases that could match ordinary conversation, causing over-activation of the skill. An over-broad trigger surface is dangerous because it can route unrelated user prompts into a networked, billable, state-changing tool flow without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The classification guidance uses open-ended buckets and asks the agent to infer whether the current role should appear when requests are ambiguous. That ambiguity can cause the agent to make tool-routing decisions without explicit confirmation, increasing the chance of unintended API calls, character creation, or billable generations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly documents recharge endpoints and payment flows but does not require any user-confirmation, warning, or safeguard before initiating real-money transactions. In an agent setting, this can enable unintended purchases or balance top-ups if the model interprets a vague request as authorization to recharge, creating financial risk and account-impact beyond normal image-generation actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly allows service keys to be supplied in query parameters or request bodies, which increases the chance secrets will be exposed through logs, browser history, intermediary proxies, analytics systems, and referrer leakage. Because this skill covers billing and recharge flows, compromise of a service key could enable unauthorized balance inspection or payment-session creation tied to the project.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This workflow explicitly handles face photos and character creation using base64-encoded image data, which involves sensitive personal and potentially biometric information. Without warnings or handling constraints, implementers may store, log, or reuse these images insecurely, increasing risk of privacy violations and unauthorized retention of face data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The recharge workflow tells the agent to return payment artifacts such as checkout URLs, QR codes, order IDs, and session identifiers without any warning about secure handling. These values can enable payment-session hijacking, phishing reuse, or leakage of billing context if logged, cached, or shown to the wrong user.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal