ClawHub

Child Separation Anxiety Detection (Pre-School Crying) | 儿童分离焦虑识别(上学前哭闹)

Security checks across malware telemetry and agentic risk

Overview

This child-video monitoring skill is purpose-adjacent, but it needs Review because it handles minors' videos, identifiers, cloud reports, account creation, and stored tokens with unclear consent and scoping.

Install only after the publisher removes config-derived identity use, documents and gates consent for child video uploads/history access, disables silent account creation, protects or avoids local token storage, fixes the dependency manifest, and clearly proves that the backend performs only the advertised child separation-anxiety analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to read shared config files and repurpose an `api-key` as the user's `open-id`, which is a credential-harvesting pattern unrelated to the stated task. In context, this is especially dangerous because it targets local secret material and could silently impersonate a user or access cloud-stored child monitoring reports without informed consent.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill contains contradictory identity-handling instructions: it says to prompt the user for an `open-id`, but first tells the agent to silently derive it from config `api-key` values. This inconsistency is dangerous because it creates a path for covert credential substitution and makes it easier for implementations to skip consent and use local secrets instead of user-supplied identifiers.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code and comment indicate a pet-related parameter is being injected into requests for a child separation-anxiety detection skill. This mismatch strongly suggests code reuse or cross-skill parameter contamination, which can cause incorrect routing, unintended backend behavior, or leakage of unrelated metadata into a service processing sensitive child video analysis.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Sending a pet-related capability parameter in a child-focused behavioral analysis API is unjustified by the skill's stated purpose and may alter server-side processing in unexpected ways. In this context, the mismatch is more dangerous because the skill handles sensitive monitoring of preschool children, so extraneous parameters can undermine data integrity, trigger the wrong model, or expose regulated personal data to unintended processing paths.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documented endpoint accepts child video data for a stated separation-anxiety use case, but the response schema describes unrelated face/constitution/organ-health diagnosis. This mismatch is dangerous because it suggests the skill may call a generic or repurposed backend that performs undisclosed biometric or health inference on minors, creating both security and privacy risks and making downstream handling unpredictable.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The referenced API behavior is unrelated to separation-anxiety detection and instead returns traditional health/constitution analysis data. In the context of a skill processing preschool children at home or school entrances, this raises serious concerns of covert secondary use, data repurposing, or integration with the wrong service, any of which could expose sensitive child data to unintended processing.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implementation accepts any local file path or remote HTTP(S) URL and forwards it to a generic analysis backend, without enforcing that the content or workflow is limited to the declared child separation-anxiety detection use case. This creates a scope-expansion risk: users or integrators can use the skill as a general media exfiltration and analysis proxy, including for sensitive household or school footage unrelated to the stated purpose.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The skill exposes generic report listing and export-link generation capabilities that go beyond the manifest's limited monitoring and alerting description. In a child-focused surveillance context, broad access to historical reports and export URLs can increase unauthorized visibility into sensitive behavioral records and make secondary sharing easier.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The script exposes a history-listing function via `--list` that retrieves prior analyses for a supplied `open_id`, but this capability is not reflected in the stated skill purpose of analyzing current videos and sending reminders. In a child-monitoring context, historical emotional/behavioral analysis data is highly sensitive, so an undocumented retrieval path increases privacy and access-control risk, especially if authorization checks are weak or delegated entirely to backend code.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script accepts arbitrary remote URLs and passes them to the analysis workflow, which expands the skill from fixed-camera local monitoring into general remote-content fetching. If the downstream service retrieves those URLs, this can enable server-side request forgery, processing of untrusted third-party media, or covert exfiltration paths, which is riskier than the manifest's narrow home/kindergarten camera scenario.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The model stores authentication-style tokens alongside personal profile data in a local SQLite database, yet there is no evidence of encryption, hashing, access controls, retention limits, or least-privilege handling. If the database file is accessed by another local process, copied from disk, or included in backups/log bundles, attackers could obtain reusable tokens and sensitive user data, which is especially concerning given the child-focused monitoring context and the sensitivity of associated household or school deployments.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This utility code performs out-of-scope identity actions: it can auto-login or register a user via `/sys/phoneLogin`, fetch tokens, and persist them locally through DAO storage. For a video-analysis skill focused on detecting child separation anxiety, embedded account provisioning and token management materially expand the attack surface and enable undisclosed collection, linkage, and reuse of user identities.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `_get_or_create_user` helper can silently create or log into remote accounts using a username/mobile as both `openId` and `mobile`, with `register: 1` and `silent: 1`. That is dangerous because it enables undisclosed remote account provisioning and identity binding unrelated to the stated child-emotion detection function, creating privacy, consent, and abuse risks.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code stores and reuses tokens and user profile data through a DAO, allowing persistent authentication state beyond a single request. In this skill context, persistence of identity artifacts is not obviously required for local or bounded video analysis and increases the risk of credential leakage, unauthorized reuse, and hidden tracking of parents/teachers or children-associated accounts.

Missing User Warnings

High
Confidence
89% confidence
Finding
The skill processes continuous video monitoring of children and generates/stores sensitive reports, but the description does not present a clear upfront warning before the operational instructions. In this context, the omission is dangerous because the data concerns minors and emotionally sensitive behavioral assessments, so inadequate notice undermines meaningful consent and increases privacy/compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API documentation describes uploading videos or public video URLs containing children, faces, and behavioral signals, but provides no warning about privacy, retention, consent, or handling of biometric and potentially health-related data. Because the skill targets minors in sensitive contexts, omission of these controls materially increases the risk of unauthorized collection, disclosure, and noncompliant processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code reads arbitrary local video files into memory and sends them to a remote analysis service without any user-facing consent, warning, or confirmation in this component. Because the skill targets recordings of pre-school children at home or kindergarten entrances, silent upload of such footage raises significant privacy and data-protection risk if triggered unexpectedly or by a misconfigured integration.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The CLI requires `--open-id` and explicitly allows highly sensitive identifiers such as user ID, username, or phone number, but provides no privacy notice, minimization, masking, or guidance on secure handling. In this skill's context, those identifiers become linked to child behavioral and mental-health-adjacent analysis data, increasing the sensitivity and privacy impact of misuse or logging exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When debug mode is enabled, the code turns on low-level HTTPConnection and urllib3 debug logging, which can expose request URLs, bodies, headers, and response content in logs. Because this utility later handles tokens, user identifiers, and potentially sensitive service responses, debug logging can leak authentication or personal data without adequate safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The request wrapper automatically attaches authentication headers (`X-Access-Token`, `X-Api-Key`, `Authorization`) and user identifiers such as `pnaUserName`, then transmits them to remote endpoints. In a child-monitoring skill, undisclosed transmission of identifiers and auth material is especially sensitive because it can link caregiver accounts to child behavioral data and broaden privacy exposure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal