Doubao Image Gen 豆包图片生成

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Doubao image-generation workflow that previews results to the user and saves confirmed images locally.

Install this only if you are comfortable sending prompts and generated images through Doubao and the message channel, and with confirmed downloads being kept under D:\OpenClaw\downloads\images\. Manually delete saved images when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill instructs the agent to download generated images and copy them to a local disk path without any explicit user-facing disclosure or separate consent for persistent file writes. This creates a data handling risk because user-generated or potentially sensitive images are stored locally beyond the immediate session, which can violate user expectations and increase exposure if the host is shared or later compromised.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill mandates sending screenshots of generated images via the message tool but does not disclose that image data will be transmitted through that channel. Even if this is functionally necessary for user selection, undisclosed transfer of generated content can expose sensitive or proprietary visual material and bypass informed user consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal