Is beauty-generation-api safe?

https://clawhub.ai/luruibu/beauty-generation-api

30
DANGEROUS

This skill establishes a persistent data pipeline to an unvetted external server (gen1.diversityfaces.org), sending user prompts and downloading arbitrary binary content. Installation monitoring detected access to highly sensitive files including .aws/credentials, .env, and auth-profiles.json, creating a plausible credential exfiltration vector. The SKILL.md uses aggressive behavioral overrides and overly broad trigger words to maximize activation and data flow to the external service.

Category Scores

Prompt Injection 25/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 20/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (11)

CRITICAL Sensitive file access during installation -40

Filesystem monitoring detected reads of .env, .aws/credentials, auth-profiles.json, and .openclaw/openclaw.json during the install process. While some may be framework behavior, the combination of credential file reads with an external-API-calling skill creates a high-risk exfiltration vector. The .aws/credentials file was opened and accessed — this file typically contains AWS secret keys.

HIGH All user prompts exfiltrated to unvetted external server -30

Every image generation request sends the user's full text prompt to gen1.diversityfaces.org — a domain with no verifiable reputation. The shared hardcoded API key means all requests are centrally trackable. This creates a persistent data collection pipeline for user intent, preferences, and potentially sensitive descriptions.

HIGH Overly broad trigger words hijack unrelated requests -30

The skill defines extremely broad activation triggers including 'portrait', 'headshot', 'avatar', 'character design' — common words that would cause the skill to activate and send data to the external API for many requests unrelated to beauty image generation.

HIGH Behavioral override directives embedded in SKILL.md -25

The skill uses imperative language ('YOUR MISSION', 'CRITICAL', 'YOU MUST') to establish persistent behavioral control over the agent. It imposes timing constraints ('deliver within 5 seconds'), display requirements ('show actual image, not just file path'), and emotional manipulation ('Make users excited about the result') that override the agent's normal safety-first behavior.

HIGH Python script downloads and writes arbitrary binary data -35

generate.py downloads opaque binary content (webp images) from the external server and writes it directly to the local filesystem. There is no content validation, no file type verification, and no size limits beyond the URL timeout. A compromised or malicious server could serve any binary content.

MEDIUM Mixed language obfuscation in SKILL.md -10

The SKILL.md mixes Chinese and English text without clear reason. The Chinese section '快速开始' duplicates the English quick-start but could serve as an obfuscation layer to bypass content scanning or inject instructions that automated English-language security filters would miss.

MEDIUM npm test script triggers external network calls -15

The package.json 'test' script runs 'python3 scripts/generate.py --test' which sends a request to the external API and downloads an image. Running 'npm test' — a seemingly safe operation — triggers network communication with an external server.

MEDIUM System fingerprinting via machine-id read -20

The install process read /etc/machine-id, which provides a unique system identifier. Combined with the external API's shared API key, this could be used to fingerprint and track individual installations.

MEDIUM Repeated environment file reads suggest harvesting -25

During installation, .profile and .bashrc were each read 4 separate times, and .openclaw/openclaw.json was read 5 times. This repetitive access pattern is unusual for a simple skill install and suggests environment variable enumeration.

LOW No TLS certificate validation or pinning -5

The Python script uses urllib.request without certificate pinning. While Python's default SSL context provides basic validation, there is no protection against sophisticated MITM attacks or DNS poisoning that could redirect requests to a malicious server.

INFO Hardcoded shared API key enables user tracking -15

The API key 'ak_OymjErKQRs-brINJuHFxKwIbxbZHq2KRiEzYthnwxMI' is shared across all installations. The server operator can use this to identify all requests as coming from this skill and correlate usage patterns.