ClawHub

Image Compressor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image compression skill with optional user-directed uploads; the main caution is to review upload destinations and credentials before use.

Install only if you trust the rv-image-optimize npm package. Use output-directory compression by default, avoid --delete-original and --replace-original unless intended, and use upload or pipeline only after confirming the endpoint, HTTPS trust, files selected, and any Authorization or Cookie values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly supports upload, pipeline upload, and resumable upload to remote APIs, but it does not clearly warn that local files and associated metadata may be transmitted off-host. In an agent workflow, this can lead to unintentional exfiltration of sensitive images, embedded EXIF/location data, or authentication-bearing request configuration when users do not realize that remote network transfer will occur.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly enables network upload flows and shows use of Authorization and Cookie headers, but it does not provide a clear warning that the skill may transmit local files and sensitive credentials to remote endpoints. In an agent context, this increases the risk of accidental exfiltration, especially if a user or upstream workflow supplies an untrusted URL or blindly reuses session cookies/tokens.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal