ClawHub
Back to skill

Security audit

Child Hazardous Behavior Recognition Tool | 儿童危险行为识别分析工具

Security checks across malware telemetry and agentic risk

Overview

This cloud child-safety video analysis skill is purpose-aligned, but needs review because it silently creates or reuses identity, uploads sensitive footage, queries cloud history, and stores local tokens with limited privacy controls.

Review before installing. Use it only if you are comfortable sending child-monitoring videos or URLs to the LifeEmergence cloud service and allowing the skill to create/reuse a local identity, store tokens in a workspace database, and retrieve account-linked history reports. Clarify retention, deletion, and consent requirements before using real footage of minors.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to run local Python scripts, access local files, write outputs, use network resources, and query cloud history, but it declares no permissions. This creates a capability/consent mismatch: operators and policy layers cannot accurately gate sensitive actions such as reading uploaded child-monitoring videos, contacting remote APIs, or creating local default identities.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file documents pet health analysis endpoints even though the skill claims to perform child dangerous behavior recognition. This mismatch is dangerous because an integrator or runtime may call unrelated backend APIs, causing incorrect data handling, broken safety monitoring, or accidental exposure of unrelated health-report functionality under a child-safety skill.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation explicitly labels the API as pet health analysis, which contradicts the declared purpose of the skill. In a child-safety context, this creates a trust and safety risk because operators may believe they are deploying real-time dangerous behavior detection while the documented integration targets a different product domain entirely.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes a hidden account-scoped history/list feature by resolving and using an OpenID, even though the stated purpose is real-time dangerous-behavior recognition on a provided video. Hidden identity-based retrieval expands the data access surface and can expose prior analysis records or user-linked metadata without clear user awareness or purpose limitation.

Intent-Code Divergence

Low
Confidence
76% confidence
Finding
The code comment says the tool initializes an internal identity without requiring user input or showing it in help, but it still resolves and uses an OpenID for account-scoped behavior. This mismatch can conceal security-relevant behavior from users and reviewers, increasing the chance of unintended access to user-linked data and weakening informed consent and auditability.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script exposes a history-listing mode (`--list`) that retrieves prior analysis results via `skill.get_output_analysis_list(open_id=open_id)`, which is outside the stated real-time child-dangerous-behavior detection purpose. This expands the skill from single-item analysis into account-scoped data access, increasing privacy and unauthorized data exposure risk if history access is not strictly intended and access-controlled.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code resolves and uses an `open_id` to access account-scoped history, but that identity handling is not clearly justified by the child-safety video recognition function advertised by the skill. Identity-linked history access can expose sensitive prior analyses and create an insecure direct object reference or privacy issue if `open_id` resolution or server-side validation is weak.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file implements a broad, reusable API wrapper with generic list/add/edit/delete/http_* methods and a user lookup helper that extend well beyond the manifest’s stated purpose of child-dangerous-behavior recognition and alerting. In a child-safety monitoring context, this unnecessary capability expansion increases the attack surface and enables remote data access or modification paths that are not justified by the declared function, creating risk of misuse, overcollection, or unauthorized operations if exposed through the skill.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The get_user_by_username method provides account lookup functionality unrelated to recognizing dangerous child behavior near windows, fire, or power sources. In this skill context, username-based enumeration or retrieval introduces unnecessary access to identity-related data and can facilitate privacy violations or account discovery without any clear operational need.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This file implements generic user-account storage and lookup, including usernames, real names, email, birthdays, and authentication tokens, which is not clearly necessary for a child dangerous-behavior recognition skill. In a child-safety context, collecting and persisting identity and token data expands the privacy and abuse surface, especially if the surrounding skill does not justify or constrain that capability.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This utility silently derives, persists, and reuses user identity information by reading workspace files, environment data, and a local database, then sets global current-user state. That behavior is materially broader than the declared child-danger recognition function and creates hidden identity management and account-linking behavior that users would not reasonably expect from this skill.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The HTTP helper automatically performs remote login/registration, injects authentication headers, retries authorization, and persists returned tokens to local storage. For a child-safety recognition skill, this hidden network account bootstrap and token lifecycle management significantly expands data handling and trust assumptions beyond the advertised purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads OPENCLAW_WORKSPACE, a workspace file, and a local database to infer or create an identity without direct user action. In the context of a child supervision skill, covertly harvesting local context to establish identity is unnecessary for the core safety function and increases privacy risk and unintended account association.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The documented auto-trigger phrases for history queries are broad enough that ordinary requests like 'show reports' or 'history report' could invoke cloud retrieval without clear user intent confirmation. In this skill's context, that can expose prior child-safety monitoring records tied to an internally managed identity, increasing the risk of unintended disclosure.

Missing User Warnings

High
Confidence
97% confidence
Finding
This skill handles highly sensitive child-monitoring videos and performs cloud-based report/history operations, yet the description lacks a clear privacy notice about data upload, retention, identity linkage, and third-party/API processing. Users may provide footage of minors without informed consent, creating significant privacy and compliance risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill reads arbitrary local video files into memory and transmits them to an external analysis service without any consent prompt, disclosure, or data-minimization logic in this code path. Because the skill is for child-safety monitoring, the content is likely to contain highly sensitive footage of minors and private environments, making silent exfiltration materially risky.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code reads an internal identity value from a workspace API-key file and uses it as an open-id without user notice. That creates a hidden trust channel from local file contents into remote identity selection, which can expose internal identifiers and cause requests to run under an unintended account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill automatically reuses or creates a local default user record, then persists that identity for future operations without any user-facing warning. This can silently bind activity to a synthetic account and obscure who initiated remote actions, which is especially problematic in a safety-monitoring context involving potentially sensitive household or childcare deployments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The helper sends identity-bearing fields such as openId and mobile to a remote login endpoint with silent/register flags, but there is no visible disclosure, consent, or limitation in the skill description. This is dangerous because it transmits identity data off-device under hidden auto-registration logic unrelated to the stated child-danger recognition function.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
94% confidence
Finding
requests.post(_url, json=

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2