ClawHub
Back to skill

Security audit

Flame & Smoke Detection Skill | 烟火检测技能

Security checks across malware telemetry and agentic risk

Overview

The skill has a plausible fire and smoke detection purpose, but it also bundles unrelated health-analysis artifacts and silently handles account creation, identifiers, tokens, and local persistence in ways users should review before installing.

Install only if you are comfortable sending surveillance images/videos, video URLs, user identifiers, and report history to the publisher's cloud service. Before use, remove or rotate the bundled api-key, avoid using a real phone number unless you intend account creation, and review the local SQLite token storage plus the mismatched health-analysis documentation with the publisher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The instructions conflate an api-key from local configuration with the user's open-id, which are different security domains: one is a credential, the other is a user identifier. Misusing a secret credential as a user identifier can leak or repurpose sensitive authentication material, cause cross-user data mixing, and lead to unauthorized access patterns in downstream APIs or report history queries.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documentation embedded in this skill describes a completely different domain: pet health analysis APIs and report export endpoints, not fire/smoke detection. In an agent skill, mismatched API docs can cause the agent or integrator to invoke unrelated sensitive endpoints, mishandle data types, or expose/report health-related data under the guise of a safety-monitoring skill; the contradiction also raises supply-chain trust concerns because the artifact does not match its declared purpose.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The inline text explicitly labels the interface as pet health analysis, reinforcing that this is not a harmless wording issue but a direct mismatch between claimed functionality and documented behavior. That makes the skill more dangerous in context because users expect fire/smoke detection for safety workflows; confusion or misuse could send production traffic to unrelated systems, leak exported reports, or mask a repackaged/poisoned skill artifact.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documented response schema is clearly unrelated to fire/smoke detection and instead describes face detection and health-diagnosis outputs. In a surveillance-oriented skill, this mismatch is dangerous because it can conceal undisclosed biometric or health-related processing, causing users and integrators to send video under false assumptions about what is being analyzed.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The API behavior as documented appears to process facial and health information rather than the advertised fire/smoke detection task. This creates a serious transparency and data-use risk: operators may deploy the skill in safety monitoring contexts while unknowingly transmitting human imagery for unrelated sensitive inference.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Health-diagnosis capability is unjustified for a fire/smoke detection skill and implies collection or inference of highly sensitive personal information from submitted media. This is especially risky in surveillance, forest, and industrial settings where bystanders or employees may be recorded without expecting medical or biometric profiling.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This module exposes generic add/edit/delete and raw HTTP GET/POST/PUT/DELETE wrappers that are not constrained to fire/smoke detection operations. In an agent skill, such broad network and CRUD capability materially expands what the skill can do beyond its declared purpose, enabling misuse for arbitrary remote actions if higher-level inputs are attacker-controlled.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code permits arbitrary remote resource manipulation through edit, delete, add, and generic HTTP methods that accept caller-supplied URLs and arguments. For a fire/smoke detection skill, this is unjustified capability creep and could be abused to modify external systems, exfiltrate data, or pivot into SSRF-like behavior depending on how RequestUtil is implemented and who controls inputs.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
This file implements a generic local DAO layer and user-account CRUD logic, including reads, writes, updates, and deletes, which is materially unrelated to the stated fire/smoke detection purpose. In a skill whose declared function is scene analytics, undisclosed account persistence broadens the data-handling surface and can enable unnecessary collection or manipulation of user data.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The User model stores identity and authentication-related data including username, realname, email, token, and open_token in a local SQLite database, despite the skill being described as fire/smoke detection. Storing tokens and identity data outside the declared analytics purpose creates privacy and credential exposure risk, especially if the local workspace is accessible to other components or users.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This shared skill module exposes a generic AI chat/agent invocation capability that is unrelated to the advertised fire/smoke detection purpose. In a security-sensitive skill ecosystem, hidden or unnecessary agent-execution features enlarge the attack surface, can enable prompt/data exfiltration paths, and violate least-privilege expectations even if the current implementation is partly stubbed.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The utility layer for a fire/smoke detection skill contains unrelated account lifecycle, token management, and billing/upsell behavior. That creates hidden side effects: invoking the skill can trigger user account creation/login, credential handling, and recharge prompts unrelated to the stated function of scene analysis, increasing privacy and trust risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code automatically logs in or registers users using usernames/phone numbers by calling /sys/phoneLogin with register=1 and silent=1. For a fire/smoke detection skill, silently creating or authenticating platform accounts without explicit user action is dangerous because it can expose personal identifiers, create unauthorized accounts, and surprise users with downstream token issuance and tracking.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The auto-trigger phrases for history-report queries are broad enough to match ordinary conversational requests, which can cause the skill to perform unintended cloud queries and disclose historical report metadata. In this skill context, those reports may contain incident timing, fire-risk levels, and report links, so over-triggering can expose sensitive operational history without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that uploaded attachments or media are automatically saved as local files, but it does not provide a clear warning, retention policy, or consent flow. Because the content may include surveillance footage or incident imagery, silent local persistence increases privacy, confidentiality, and data-retention risk if files are stored insecurely or longer than necessary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to upload videos or provide public video URLs but gives no warning about data transmission, third-party processing, retention, or privacy implications. For surveillance footage, this can expose sensitive location, personnel, and operational information and lead to unsafe deployment without informed consent or handling controls.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script requires an open-id/user identifier and stores it in a global configuration value before making backend requests, but it provides no user-facing notice about collection, transmission, or retention. In a surveillance/fire-warning context, identifiers may be tied to sensitive operational usage, increasing privacy and compliance risk if users do not understand that their identity is being sent to a remote service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool accepts a remote video URL and passes it to backend analysis without warning users that the service may receive the URL, associated metadata, or trigger server-side retrieval of third-party content. In security surveillance and industrial monitoring contexts, URLs can reveal internal infrastructure, camera endpoints, tokens, or access patterns, so silent transmission raises meaningful confidentiality risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This helper assembles and transmits user identifiers and authentication material, including pnaUserName, X-Access-Token, X-Api-Key, and Authorization headers, without any indication in this file of user notice or consent. In the context of a vision-analysis skill, hidden transmission of identity and auth data broadens the privacy and security exposure beyond what users would reasonably expect.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal