ClawHub

corespeed-studio

Security checks across malware telemetry and agentic risk

Overview

This is a coherent fal.ai media-generation skill that uses a fal.ai API key and can upload user-chosen prompts or media for processing.

Install only if you are comfortable using fal.ai for media generation. Use a revocable FAL_KEY, monitor fal.ai usage or charges, and avoid sending confidential, personal, biometric, regulated, or proprietary media unless you have approval for external processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly requires environment access (`FAL_KEY`) and network access to send prompts/media to fal.ai, yet it does not declare permissions. That mismatch can bypass user/admin expectations and weakens policy enforcement around outbound data transfer and secret use.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description is broadly phrased to trigger on many common creative requests, which can cause the agent to invoke this skill in situations where users may not expect third-party media upload or API-backed processing. In context, this is risky because the skill handles user-supplied media and prompts through an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to configure an API key and upload input files, but it does not disclose that prompts, images, audio, and videos may be sent to fal.ai and potentially downstream model providers. This creates a meaningful privacy and data-governance risk, especially for sensitive or personal media.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example instructs users to send an image URL to a third-party fal.ai endpoint but does not disclose that user-provided media will be transmitted off-platform for processing. If users submit sensitive, proprietary, or personal images, this omission can lead to unintended data exposure and privacy/compliance issues.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly exposes two privacy-relevant capabilities: `enable_web_search` for Nano Banana 2 and `image_url`-based remote image editing, but it does not warn that prompts, referenced image URLs, and possibly fetched web content are sent to third-party infrastructure. In an agent skill, this omission can cause users or downstream agents to unknowingly transmit sensitive text or private media to external services, increasing privacy, compliance, and data-handling risk.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The documentation instructs users to provide `image_urls` to a third-party remote AI endpoint but does not disclose that the referenced images will be transmitted off-platform for processing. This can lead to inadvertent sharing of private, sensitive, or access-controlled media, especially in a media-generation skill where users may upload personal or proprietary images for editing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example sends `video_url` and `audio_url` to the external fal.ai service, which can expose user media, biometric data, or sensitive voice content to a third party without any explicit notice about data handling, retention, or consent requirements. In a media-generation skill, users may reasonably provide personal recordings, making silent transmission to an external provider a meaningful privacy and compliance risk.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The example transmits an image URL to a third-party fal.ai endpoint, which can expose user-provided media or internal resource locations to an external service without any privacy, consent, or data-transfer warning. In a media-generation skill this behavior is expected, but omitting disclosure increases the risk of accidental sharing of sensitive or private content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal