ClawHub

基础目标检测技能

Security checks across malware telemetry and agentic risk

Overview

This skill advertises basic object detection, but its files also include health/face-style analysis handling, account login, token storage, and broad report-history access that need review before use.

Review before installing, especially for real surveillance footage or production accounts. Install only if you are comfortable sending media and identifiers to the publisher's cloud service, storing local tokens in a SQLite database, and using report-history features tied to open-id values; ask the publisher to narrow the skill to object detection, fix the dependency, document retention and auth flows, and remove unrelated health/face handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The API documentation is materially inconsistent with the declared skill purpose: a basic object-detection surveillance skill instead references pet health analysis endpoints, report export, and a pet-health scenario code. This kind of capability/documentation mismatch can mislead integrators into calling unrelated back-end services, causing unintended data access, privacy violations, or deployment of a skill that performs functions outside its stated scope.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented API behavior materially contradicts the skill's declared purpose of basic object detection. Instead of returning detections for people, vehicles, pets, or parcels, it exposes face analysis and health/diagnostic outputs, indicating undocumented scope expansion into sensitive biometric and inferred health processing. In a surveillance context, this mismatch is dangerous because operators may deploy the skill expecting low-sensitivity object detection while actually sending video to a system performing sensitive personal profiling.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The response schema expands from ordinary security analytics into face-related and health-diagnosis features that are unrelated to the stated object-detection use case. This creates a high-risk functionality gap because users may unknowingly process special-category or highly sensitive personal data, increasing legal, privacy, and misuse exposure. The skill context makes this more dangerous, not less, because surveillance tooling already operates on people in potentially non-consensual environments.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Face analysis and especially health diagnosis are unjustified capabilities for a basic surveillance object-detection skill. Their presence suggests overcollection and secondary use of video data beyond user expectations, enabling biometric identification or health inference from footage without clear necessity. Because the advertised context is general security surveillance, the risk is amplified by the likelihood of capturing bystanders, residents, or employees who have not meaningfully consented.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is declared as basic object detection, but its output handling explicitly parses and prioritizes generic and health-analysis response fields such as commonAiResponse and healthAiResponse. This indicates a capability/intent mismatch that can surface unrelated sensitive inference results to callers, violating least privilege and increasing the chance of privacy-impacting data exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The report-listing logic extracts and displays health/body assessment content (for example, healthAssessment.subject) even though the skill is marketed as object detection. In a surveillance context, exposing health-related inferences is especially dangerous because users may submit ordinary camera footage expecting object counts, not sensitive personal profiling.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This file implements persistent user-account storage and mutation operations inside a skill described as basic object detection, which is a significant scope mismatch. Unnecessary account-management capability increases attack surface, enables unauthorized persistence of identity data, and suggests hidden functionality unrelated to the stated surveillance purpose.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The User model persists sensitive profile fields and authentication-like secrets such as token and open_token without any visible encryption, hashing, access control, or purpose justification. In the context of a basic object-detection skill, storing long-lived tokens is especially dangerous because compromise of the local SQLite database could lead to credential theft, account takeover, or unauthorized API access.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This utility module implements broad authenticated API access, token management, retry logic, and even user provisioning that go well beyond a basic object-detection skill's declared purpose. In this skill context, that mismatch is dangerous because it expands the attack surface and allows the skill to act on behalf of users against remote services with little transparency.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The helper `_get_or_create_user` sends `openId`, `mobile`, and related identity data to a remote `/sys/phoneLogin` endpoint and can implicitly register a user (`register: 1`) without explicit user action. For a basic object-detection skill, automatic account creation/login is unrelated functionality and creates unauthorized identity use, privacy exposure, and possible account abuse risks.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code stores retrieved `token`, `openToken`, and user profile information through `UserDao.save`, persisting credentials locally for later reuse. Persisting authentication artifacts in a generic utility tied to an object-detection skill increases the blast radius of compromise and may expose users to credential theft or unintended reuse across sessions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The history-query trigger phrases are broad enough that ordinary requests about reports or prior analysis may automatically invoke historical report retrieval. In a surveillance context, this can cause unintended access to retained report metadata or links without a sufficiently explicit user intent check.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that uploaded attachments or media files are automatically saved as local files, but it does not provide a prominent warning, retention boundary, or cleanup policy. Local persistence of surveillance images and videos increases exposure of sensitive visual data if the workspace is shared, logged, or later reused.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs transmission of user-provided media and an identifier to a cloud API, but the documentation does not prominently disclose this data flow or its privacy implications. Because the media may contain surveillance footage and the identifier may be tied to a person, undisclosed remote processing and retention can expose sensitive personal and environmental information.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill reads the full local file and transmits it to an external analysis API without any visible user-facing disclosure or consent mechanism in this code path. For surveillance videos and images, that can expose highly sensitive footage, locations, or bystanders to remote services unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The request flow adds `pnaUserName`, tenant and platform metadata, and authentication headers such as `X-Access-Token`, `X-Api-Key`, and `Authorization` to outbound requests without any user-facing disclosure in normal operation. Even though some debug logging redacts long values, the core issue is silent transmission of identity and auth context to remote services unrelated to the advertised detection-only behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The helper posts phone/mobile identity information to a remote endpoint to perform login or registration, but there is no explicit safety notice, consent flow, or indication that a surveillance-related skill will process personal identifiers this way. In context, this is especially concerning because the declared capability is object detection, not identity/account handling.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly tells the agent to request a username or phone number as the open-id and use it to save and query historical reports. This creates a natural-language collection flow for personal identifiers linked to surveillance analysis results, increasing the risk of privacy harm, account correlation, and unauthorized access to another person's report history if identifiers are guessed or reused.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal