ClawHub

Driver Head-Pose Abnormality (Head-Down / Side-View) | 驾驶员头部姿态异常(低头/侧视)检测

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it sends sensitive driver video and identifiers to a cloud service while bundling broader health-analysis, account, and token-handling code that does not cleanly match its stated head-pose purpose.

Install only after verifying the publisher and cloud service, confirming driver consent, and checking what video, identifiers, account records, tokens, and historical reports are stored or shared. The skill should be tightened to head-pose-specific endpoints and schemas, avoid using API keys as user IDs, avoid storing raw tokens locally, and replace the invalid yaml dependency before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill broadens itself from live head-pose analysis into cloud-backed historical report retrieval and report-link presentation, which changes the data-access scope from single-analysis assistance to historical surveillance/report browsing. This is sensitive in a driver-monitoring context because historical reports may reveal behavioral patterns, timestamps, and identity-linked records beyond the immediate user request.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The documented capability includes fleet_upload and event_record actions that extend beyond local head-pose detection into sharing or persisting driver-behavior data. In a fleet setting this increases privacy and compliance risk because biometric/video-derived behavioral events may be transmitted or retained without sufficiently explicit scoping in the manifest.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs the agent to read workspace configuration files and repurpose an api-key as a user's open-id, conflating credentials with user identity. This can leak secrets from local configuration, misuse privileged tokens in downstream requests, and create cross-user data access if backend systems treat the substituted identifier as authoritative.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The documented API endpoint and response schema do not match the stated driver head-pose distraction-detection skill. Instead of returning head-pose angles, distraction events, or alert metadata, it describes generic face analysis and health/constitution diagnosis, indicating either a mismatched backend or copied documentation. In a safety-critical in-cabin monitoring context, this can cause integrators to send driver video to an unrelated external analysis service, creating privacy exposure, regulatory risk, and unsafe system behavior because alerts may be based on irrelevant outputs.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Allowing arbitrary public video URLs is unjustified for an in-cabin DMS skill whose purpose is real-time driver monitoring from trusted vehicle cameras. This broadens the data ingestion surface, can enable misuse of the service for unrelated video surveillance or third-party content analysis, and may cause sensitive driver footage to be fetched from uncontrolled external locations. In this context, the feature is more dangerous because the skill is expected to process tightly scoped, privacy-sensitive in-vehicle data rather than general internet media.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The code processes generic `commonAiResponse` and specifically `healthAiResponse`, which exceeds the manifest’s stated purpose of driver head-pose distraction analysis. This scope drift can expose unrelated or sensitive health-analysis data through a skill that users would reasonably expect to handle only driving-behavior telemetry, increasing the risk of improper data access, disclosure, and misuse.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The report-listing code extracts and presents health-related assessment fields such as `healthAssessment.subject` rather than distraction-event data. In context, this is dangerous because a vehicle-safety skill could surface sensitive health information in histories, links, or fleet workflows where operators expect only driving-alert records, creating a confidentiality and purpose-limitation violation.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script accepts arbitrary remote URLs via `--url` and forwards them to backend analysis without any visible allowlisting, scheme restriction, or scope checks. In a vehicle DMS context, this expands the trust boundary beyond local in-cabin camera inputs and can enable misuse such as analyzing attacker-controlled external media, accessing internal network resources if fetched server-side, or processing unintended sensitive content.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file exposes a generic API wrapper with add, edit, delete, and raw http_get/http_post/http_put/http_delete methods that can target caller-supplied URLs, which is far broader than the declared head-pose distraction-analysis purpose. In a vehicle-monitoring skill, this unnecessarily expands the attack surface and can enable unintended data exfiltration, remote control flows, or misuse by other components through a permissive network primitive.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The raw http_post/http_put/http_get/http_delete methods provide arbitrary outbound network request capability with no visible restriction on destination, operation, or payload. For a driver head-pose analysis skill, such unrestricted networking is unjustified and dangerous because camera-derived telemetry or related metadata could be sent to unintended endpoints, and the primitive could be repurposed for unauthorized actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file implements a generic user-account DAO and user model despite the skill being described as in-cabin head-pose distraction analysis. This scope mismatch increases the chance that the skill collects or persists unrelated personal data and authentication artifacts without clear necessity, expanding the privacy and attack surface beyond the declared function.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The User model stores identity fields plus token and open_token values, which are sensitive authentication-style secrets not justified by the stated head-pose monitoring purpose. If the local SQLite database is accessed, copied, or improperly shared, these fields could enable account compromise, session abuse, or unnecessary privacy exposure.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The request helper goes far beyond a head-pose analysis utility: it can silently create/login external accounts, fetch and persist tokens, and attach authentication material to arbitrary outbound requests. In the context of an in-cabin safety skill, this hidden identity provisioning and token management materially expands the trust boundary and can expose user identifiers, create unintended accounts, or enable unauthorized backend access if misused.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The utility contains billing/payment remediation text and workflow guidance unrelated to driver head-pose monitoring. Embedding monetization/install flows inside a generic HTTP path is dangerous because it mixes unrelated operational behavior into safety functionality and may manipulate users or conceal service dependencies not disclosed by the skill manifest.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This file exposes broad HTTP request capabilities, automatic header injection, token use, and retry behavior that are not justified by the described local head-pose distraction-detection function. While networking itself is not always malicious, this creates unnecessary exfiltration and remote-control surface in a safety-focused skill where users would reasonably expect mostly local processing.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The automatic trigger rules are broad enough to invoke the skill for generic mentions of distraction, DMS, head pose, or report viewing, potentially causing unintended processing of uploaded videos or historical-report queries. Over-broad invocation is especially risky here because the skill can access files, call remote APIs, and handle sensitive driver-monitoring data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill does not clearly warn users that uploaded driver videos and identifiers may be transmitted to a remote backend for analysis and report retrieval. In this context the data is highly sensitive because it can include biometric/behavioral monitoring, timestamps, and identity-linked fleet records, so lack of explicit disclosure undermines informed consent and privacy compliance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The HTTP helper automatically transmits usernames, tenant codes, app identifiers, API keys, and access tokens, and may also register users through remote requests, without any visible non-debug consent or disclosure mechanism. In a driver-monitoring skill, this is particularly sensitive because users may not expect identity and account metadata to be sent off-device as part of a distraction-detection feature.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal