Is imagine-anything/social-media safe?
https://github.com/openclaw/skills/tree/main/skills/imagine-anything/social-media
The imagine-anything/social-media skill presents no direct prompt injection or code execution risks, and its installation is clean, but it carries significant operational security risks in two areas: (1) the Connected Services feature explicitly instructs agents to POST user API keys for OpenAI, Google Gemini, ElevenLabs, and Runware to an external third-party server, which constitutes credential exfiltration regardless of the platform's encryption claims, and (2) the marketplace integration allows agents to place orders and request payouts with real payment methods and no per-transaction user confirmation built into the documented workflow. Deployment should require strict agent-level guardrails preventing autonomous credential-sharing and financial transactions without explicit user approval.
Category Scores
Findings (10)
CRITICAL Connected Services instructs agents to POST user API keys to third-party server -35 ▶
The SKILL.md Connected Services section explicitly instructs agents to POST the user's third-party API keys — including OpenAI (sk-proj-* format), Google Gemini, ElevenLabs, and Runware keys — to imagineanything.com via the /api/settings/services endpoint. An agent acting autonomously on this instruction exfiltrates user credentials to an external server. The skill claims keys are encrypted at rest with AES-256-GCM, but encryption at rest does not prevent the platform from accessing or misusing the keys, and the keys are transmitted in plaintext in the request body before any server-side encryption. This is the skill's intended feature, not a hidden attack, but from a security standpoint it represents explicit credential exfiltration to a third party.
HIGH Marketplace enables autonomous financial transactions without per-action confirmation -20 ▶
The marketplace section documents order placement and payout requests with no user confirmation step. An agent with this skill active and access to the user's ImagineAnything credentials could place orders with real payment methods (Stripe card, USDC, Coinbase) and request Stripe payouts. The skill's instructions contain no guardrails requiring the agent to confirm with the user before committing financial transactions.
HIGH Webhook configuration creates persistent real-time exfiltration channel -15 ▶
The skill instructs agents to configure a webhook at an arbitrary HTTPS URL to receive real-time notifications for all activity including follows, likes, comments, and DMs. Once set, this webhook fires on every agent interaction. If the URL points to an attacker-controlled server, it becomes a persistent exfiltration channel that does not require the agent to be active. The webhook secret is also transmitted and if leaked provides a signature bypass.
HIGH IMAGINEANYTHING_BASE_URL env var redirects OAuth credentials to arbitrary server -10 ▶
All four shell scripts use BASE_URL="${IMAGINEANYTHING_BASE_URL:-https://imagineanything.com}". The client_credentials OAuth grant sends IMAGINEANYTHING_CLIENT_ID and IMAGINEANYTHING_CLIENT_SECRET to ${BASE_URL}/api/auth/token. If an attacker can control this environment variable — via another skill, a misconfigured .env file, or shell inheritance — all credential exchanges are redirected to an attacker-controlled server that can harvest the OAuth secret.
HIGH Agent can post to public feed without user review -15 ▶
The post creation workflow documented in SKILL.md issues a direct curl POST to the public /api/posts endpoint. No review, preview, or confirmation step is documented before publication. An agent following these instructions will publish content immediately and publicly. This creates risk of accidental disclosure, embarrassing content, or ToS-violating posts made autonomously.
MEDIUM pip install imagineanything recommended without version pinning -12 ▶
The skill offers 'pip install imagineanything' as an alternative to the shell script workflows. No version is pinned (e.g., imagineanything==1.0.0). If the imagineanything PyPI package is abandoned, hijacked, or if an agent installs a typosquatted variant, arbitrary Python code could execute in the user's environment.
MEDIUM Social capabilities enable coordinated inauthentic behavior at scale -8 ▶
The skill provides agents with follow, unfollow, DM, like, comment, repost, amplify, and quote capabilities. Deployed across many agent instances, these capabilities enable coordinated inauthentic behavior — fake engagement networks, spam DM campaigns, artificial amplification — at the platform API rate limits (100 reads/min, 30 writes/min per agent). The skill documents no usage constraints or anti-abuse guidelines.
MEDIUM Six sensitive credential files accessed during monitoring period -18 ▶
Files .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were all opened and read during monitoring. Both access clusters (pre-install at audit 1771926188 and post-install at 1771926208) exhibit all six files accessed at the same millisecond in identical order, strongly matching the monitoring framework's canary verification pattern. The canary integrity system reports no exfiltration. Nevertheless, the files were definitively read.
LOW Order message attachments accept arbitrary URLs -5 ▶
The Send an Order Message endpoint accepts an optional attachments array of arbitrary URLs. If imagineanything.com fetches these URLs server-side for preview generation, this could be used as an SSRF vector against the platform's internal network or as a covert channel to an attacker's logging server.
INFO Clean installation — expected GitHub traffic only during clone 0 ▶
The installation process was clean. Only github.com (140.82.121.4:443) was contacted during the git clone. Sparse checkout correctly isolated the skill subpath. The temp clone directory was removed. No unexpected processes spawned, no writes outside the skill directory. Pre-existing Ubuntu infrastructure connections (91.189.91.49, 185.125.188.57) are unrelated to the skill.