ClawHub
Back to skill

Security audit

wangyi-banana2

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real WangYi/T8 image and video generator, but it repeatedly gives unsafe setup guidance that can expose a paid API key in chat.

Install only if you trust the WangYi/T8 service with your prompts, selected media, and API usage. Do not paste API keys into chat; use an environment variable or local OpenClaw config file, and rotate any key already shared in a conversation. Avoid submitting sensitive personal, business, or private media unless you are comfortable sending it to the external provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill requires shell execution, filesystem access, and environment-variable access, but does not declare corresponding permissions or otherwise make those capabilities explicit to users/reviewers. This creates a transparency and trust boundary problem: an agent may execute scripts with sensitive inputs and write files without the permission model clearly signaling that behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill reads API credentials from ~/.openclaw/openclaw.json in addition to explicit user input and environment variables. That expands the skill's access surface beyond the stated media-generation purpose and can cause silent use of stored secrets the user did not explicitly provide for this run.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Allowing --host-url to override the API destination enables arbitrary outbound authenticated requests using the resolved bearer token. In this skill, that is especially dangerous because local media and credentials can be sent to attacker-controlled infrastructure under the guise of normal generation tasks.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill instructs use of the WANGYI_API_KEY environment variable but provides no warning about sensitive credential handling, such as avoiding echoing keys, logs, screenshots, or passing secrets on the command line. In a tool-executing agent context, this can lead to accidental disclosure through terminal history, output, or mishandled troubleshooting steps.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation explicitly tells users to send their API key in chat to an assistant for configuration, which creates a clear credential-exposure risk. Secrets shared through chat may be logged, retained, visible to operators, exposed to plugins/tools, or leaked to other contexts, making this unsafe even if the setup is convenient.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide explicitly instructs users to provide their API key directly in chat, which can expose a secret to logs, conversation history, operators, plugins, or downstream systems that process messages. In an agent skill context, this is especially risky because users may assume the chat channel is a safe credential store when it is not designed for secret handling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to upload reference images, provide remote URLs for character creation, and submit asynchronous generation jobs without clearly warning that these assets and prompts are transmitted to an external video-generation service. This can lead to unintended disclosure of sensitive images, proprietary media, internal URLs, or personal data because users may reasonably assume local-only processing from the examples.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code uploads API credentials and potentially local image content to a remote service without any user-facing disclosure at execution time. In an agent context, silent transmission of local files materially increases privacy and data-handling risk because users may not realize their files are leaving the system.

Ssd 3

High
Confidence
99% confidence
Finding
Telling users to paste an API key directly into assistant chat normalizes unsafe secret handling and can lead to immediate compromise of paid API access. In this skill's context, the key grants access to third-party image/video generation services and could be abused for unauthorized usage, charges, or account takeover-like effects within the service scope.

Ssd 3

Medium
Confidence
98% confidence
Finding
The setup text explicitly instructs the user to send the API key in chat, which encourages unsafe credential handling and increases the chance the secret is exposed to logs, transcripts, or downstream tooling. In an agent ecosystem, requesting secrets through chat is particularly risky because conversation content may be retained or inspected by other components.

Ssd 3

Medium
Confidence
98% confidence
Finding
The health-check path repeats the instruction to send the API key in chat, reinforcing insecure secret-sharing practices. Repetition in error handling makes accidental credential disclosure more likely during troubleshooting, when users are prone to follow prompts verbatim.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.