ClawHub
Back to skill

Security audit

Fire & Smoke Detection Skill | 火情烟雾检测技能

Security checks across malware telemetry and agentic risk

Overview

This fire-detection skill performs the advertised remote media analysis, but it also silently creates or reuses user identity, logs into an external service, and stores tokens locally.

Install only if you are comfortable with submitted media and report history being handled by the publisher's cloud service, and with the skill silently creating/reusing an identity, storing local tokens in the workspace, and reading workspace identity files. Review or sandbox it before use in environments with sensitive surveillance footage, regulated operational data, or strict account-control requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (28)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
87% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
86% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises operational behavior that clearly requires network, shell, local file read/write, and likely environment access, yet no permissions are declared. This creates a transparency and governance gap: operators and users cannot accurately assess what the skill will access, and policy engines may under-enforce controls or approvals.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is simple fire/smoke analysis, but the behavior includes unrelated identity creation, authentication against remote services, local token persistence, cloud history retrieval, and report URL export. That mismatch is dangerous because users may submit media expecting one-shot analysis while the skill silently creates accounts, stores identifiers, and links them to historical data flows they were never clearly informed about.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script exposes `show_analyze_list()` to retrieve prior analysis records by `open_id`, which goes beyond the advertised fire/smoke detection function and introduces access to historical data. In combination with the hidden identity handling elsewhere in the file, this can enable unauthorized enumeration or disclosure of past analyses if access control is weak in the backing implementation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script silently resolves an internal user identity through `OpenIdUtil.resolve_current_open_id()` even though the skill is presented as a media-analysis tool. Hidden identity resolution increases the risk of unauthorized data scoping, cross-user access, or covert coupling to internal account context, especially because `--open-id` is suppressed from help and not transparently disclosed to users.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill accepts arbitrary HTTP/HTTPS URLs and forwards them for backend analysis without any allowlisting, hostname validation, or user disclosure. In practice this creates a server-side fetching capability that can be abused to make the downstream service retrieve attacker-chosen resources, which may enable SSRF-style access to internal endpoints or unexpected data exfiltration through the analysis backend.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill exposes report listing and export-link generation features that go beyond the stated fire/smoke detection purpose, increasing the accessible data surface. If authorization is weak in surrounding components, a caller may enumerate prior analysis records or obtain export URLs for reports they should not see, causing confidentiality leakage.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file exposes broad generic CRUD and arbitrary HTTP wrapper methods that are not constrained to fire/smoke detection use cases. In a skill advertised for image/video fire detection, these capabilities enlarge the attack surface by enabling unrelated API interactions, data manipulation, and service abuse if higher-level inputs can influence URLs or payloads.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The get_user_by_username capability enables account lookup that is unrelated to the declared fire-detection purpose. Even if intended for convenience, it can support user enumeration, privacy violations, or lateral discovery of internal identities when exposed through an agent skill.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The manifest claims a narrowly scoped fire/smoke detection skill, but the code embeds a very large SceneCodeEnum covering unrelated capabilities such as infant monitoring, emotion analysis, pet health, plant diagnostics, driver fatigue, fraud-call identification, and many others. This indicates the skill package includes behavior-selection/configuration support for numerous domains well outside fire detection, creating a clear manifest-to-code scope mismatch.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements persistent user-account storage and lookup logic, including username/realname-based updates, which does not align with a fire/smoke detection skill. In this context, hidden user-management functionality increases the risk of unnecessary data collection, privilege misuse, and covert persistence unrelated to the stated purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The model stores personal profile data and authentication-like tokens (token, open_token, email, birthday) without any demonstrated need for fire detection. Unnecessary retention of sensitive data expands breach impact and creates a clear privacy and credential-handling risk if the local database is accessed or leaked.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The code reads environment-derived workspace paths and creates a persistent local SQLite database, which is unrelated to core image/video fire detection. In context, this persistence increases the attack surface and supports retention of data beyond the detection task, especially when combined with the user/token storage elsewhere in the file.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The utility automatically reads identity material from the workspace and environment, then falls back to creating and persisting a default user account locally. For a fire-detection skill, this is unrelated capability that silently acquires and stores identity state, increasing the risk of unauthorized account use, privacy violations, and hidden cross-skill tracking.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The HTTP helper can silently register or log in users against an external health service via /sys/phoneLogin using locally derived usernames. This is functionality well outside the declared fire/smoke detection purpose and could cause unauthorized account provisioning, external data transmission, and hidden service coupling without user awareness.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The request utility returns billing and installation guidance for a separate payment skill when it encounters status 402. This introduces unrelated monetization behavior into a fire-detection skill, which can steer users into additional actions outside the declared purpose and indicates the code is acting as a broader platform agent rather than a scoped detection utility.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The history-report trigger phrases are broad enough to be activated by ordinary user requests, which can cause unintended cloud queries and disclosure of prior report metadata. In a skill that auto-associates reports with internally managed identities, accidental triggering increases the chance of exposing historical records the user did not explicitly request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow states that uploaded attachments are automatically saved as local files, but this persistence is not clearly disclosed in the skill description or user-facing warnings. Silent local storage increases privacy and retention risk, especially for surveillance images and videos that may contain sensitive operational or personal data.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill states that anomalies trigger remote warning messages, but it does not clearly warn users that their submitted content may result in outbound notifications. This can create unintended data sharing or operational side effects, particularly in environments where alerts may disclose incident timing, media-derived conclusions, or site status to external systems.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The code reads the entire local file and sends its contents to an external analysis service, but there is no visible user-facing notice, confirmation, or data-handling disclosure here. This is a privacy and data-governance risk because users may unintentionally upload sensitive video or image content, especially in industrial or warehouse environments where recordings can contain confidential operational data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill sends user-supplied local media paths or remote URLs into an API-backed analysis flow via skill.get_output_analysis without any clear disclosure that content may leave the local system. In a fire-detection context, uploaded footage may contain sensitive industrial, warehouse, or surveillance data, so silent remote transmission can create meaningful confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
In debug and error paths, the code logs request URLs, params, bodies, and response text, and globally enables verbose HTTP debugging for urllib3/http.client. This can expose tokens, identity fields, tenant information, operational data, or server responses in logs without user notice, creating a meaningful confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads identity information from OPENCLAW_WORKSPACE and data/smyx-api-key.txt, then uses it to establish current user identity without any visible disclosure or consent flow. Silent ingestion of workspace-stored identity data is risky because users of a fire-detection skill would not reasonably expect hidden identity harvesting from local files or environment state.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
94% confidence
Finding
requests.post(_url, json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal