Is xpr-creative safe?

https://clawhub.ai/paulgnz/xpr-creative

72
CAUTION

This skill provides legitimate creative deliverable tools (image/video generation, PDF creation, GitHub repos, IPFS storage) for an AI agent job platform. However, it presents moderate risks: unrestricted URL fetching without domain allowlisting creates SSRF potential, all content is uploaded to immutable public IPFS storage, and behavioral override directives in SKILL.md reduce the agent's ability to exercise caution. No malicious intent was detected, but the design choices create exploitable surfaces in adversarial scenarios.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (9)

MEDIUM Behavioral override directives in SKILL.md -20

SKILL.md uses emphatic language ('NEVER say you can't create images or videos', 'NEVER deliver just a URL') to override the agent's default cautious behavior. While these are framed as capability instructions, they reduce the agent's ability to decline problematic requests and constitute a soft behavioral override.

MEDIUM Arbitrary URL image embedding in PDF generation -15

The SKILL.md instructs the agent to use alt text syntax to embed images in PDFs. The generatePdfFromMarkdown function downloads up to 10 images from arbitrary URLs. If the agent is processing user-controlled markdown, this creates an SSRF surface where internal network resources could be fetched and embedded.

MEDIUM Unrestricted URL fetching with no domain allowlist -20

The downloadFromUrl function accepts any http/https URL up to 50MB with a 30-second timeout and follows redirects. There is no domain allowlist or blocklist. An attacker who can influence the agent's input could cause it to fetch resources from internal networks (169.254.169.254, localhost, private IPs) and upload the results to IPFS.

MEDIUM Immutable public storage of deliverables on IPFS -18

All deliverables are uploaded to IPFS via Pinata, making them publicly accessible and permanent. If the agent incorporates sensitive user data into deliverables (which the SKILL.md encourages with 'always include the actual work content'), that data becomes irrevocably public.

LOW GitHub repo creation exposes content publicly -5

The create_github_repo tool creates public repositories by default (private: false). Any content the agent packages as code deliverables will be publicly visible on GitHub under the configured owner account.

LOW Multi-skill chaining risk via URL fetch + IPFS pipeline -25

This skill's combination of fetching arbitrary URLs and uploading to immutable public storage creates a data exfiltration pipeline. If combined with another skill that reads local files or credentials, an attacker could chain them: skill A reads sensitive data → this skill's store_deliverable uploads it to IPFS permanently.

LOW Replicate and Pinata API credentials assumed in environment -15

The skill expects REPLICATE_API_TOKEN, PINATA_JWT, GITHUB_TOKEN, and GITHUB_OWNER in environment variables. While it gracefully handles missing credentials, an agent environment with these set exposes API quota and billing to any skill that can invoke these tools.

INFO Dynamic require of pdfkit -5

The skill uses require('pdfkit') inside generatePdfFromMarkdown. This is a runtime dependency assumption rather than a security risk, but it means the skill depends on host-installed packages.

INFO JIT cache files created during install -5

Filesystem monitoring showed /tmp/jiti/ files being created during installation. These are standard JIT compilation cache artifacts from the ClawHub runtime, not from the skill itself.