ClawHub

Smart E-Bike Detection Skill | 电动车智能检测技能

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its electric-vehicle detection purpose, but it also performs under-disclosed account login/creation and local token storage when using the remote analysis service.

Install only if you are comfortable sending the selected media and a user/admin identifier to the LifeEmergence/SMYX remote service. Review the account creation/login behavior, local SQLite token storage, and history-report access model first; avoid using phone numbers or API keys as identifiers unless the publisher documents why this is required and how records are protected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The examples use a placeholder/default-style open-id immediately after the document warns against assuming or generating one. Contradictory examples are dangerous because operators and agents often copy sample commands verbatim, which can normalize use of guessed identifiers and lead to misattribution, cross-tenant access attempts, or accidental data exposure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill exposes functionality to list prior analyses and construct export URLs, which goes beyond the stated real-time/image detection purpose in the manifest. Expanding capability from single-run analysis to historical retrieval increases the chance of unauthorized access to prior results or metadata, especially if access control is handled only through a caller-supplied identifier.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code accepts a broad `--open-id` value described as OpenID, user ID, username, or phone number, and uses it to retrieve analysis history. This creates an insecure direct object reference/privacy risk because an attacker may enumerate or supply another person's identifier to access records unrelated to the immediate computer-vision detection task.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The documented API behavior is fundamentally inconsistent with the stated skill purpose of detecting electric motorcycles and e-bikes in restricted areas. Instead, the response schema exposes face detection and health/constitution diagnosis fields, indicating either documentation mix-up or backend capability confusion that could cause users to submit surveillance footage to an unrelated biometric/health analysis service.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Face detection and health-analysis capabilities are unjustified and over-privileged for an electric-vehicle detection skill, creating a strong risk of covert collection or inference of sensitive biometric and health-related information. In the context of video uploads from parks, communities, or organizations, this expands surveillance scope beyond the user's expected purpose and may expose highly sensitive personal data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This code exposes generic HTTP helper methods (GET/POST/PUT/DELETE) that can send requests to arbitrary URLs, which is broader than the stated EV detection purpose. In an agent skill context, this creates unnecessary remote interaction capability that could be repurposed for unauthorized outbound requests, data exfiltration, or invoking unrelated internal/external services if higher-level code passes attacker-influenced URLs or payloads.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The add/edit/delete methods provide generic remote state-changing operations without any domain-specific restriction, making the skill capable of mutating arbitrary backend resources beyond EV detection or alerting. In an agent environment, such broad mutation surfaces increase the risk of misuse, especially if other components can influence the target URL or request body.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The file implements a generic user-account DAO, including identity lookup and mutation logic, even though the skill is described as electric-vehicle detection and alerting. This unnecessary account-management capability expands the attack surface and creates opportunities for unauthorized handling of user records unrelated to the declared function of the skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The User model stores sensitive identity and authentication-related fields such as username, realname, email, token, and open_token, and the DAO provides generic create and update paths for them. In the context of an EV-detection skill, collecting and mutating this data is not justified by the manifest and raises significant privacy and credential-handling risk if the database is accessed or misused.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The utility performs authenticated remote API calls and even provisions or recovers user context automatically, which materially exceeds the manifest's stated EV-detection/violation-analysis purpose. This creates an undisclosed capability to transmit identifiers, obtain tokens, and act on behalf of a user against external services, increasing privacy, integrity, and supply-chain risk.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code stores user records plus token/openToken values locally after network-based account creation/login. Persisting bearer credentials without clear disclosure or scoped storage expands the blast radius of host compromise and is inconsistent with a detection-only skill description.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-trigger keywords for historical report queries are broad enough to match generic requests like viewing reports or records, potentially causing the skill to invoke remote history-listing behavior outside a clearly intended EV-detection context. In an agent setting, over-broad triggers can lead to unintended data access and privacy violations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The default activation rule triggers on uploaded video/image files for EV detection requests without sufficiently constraining intent or scope. Ambiguous activation increases the chance that unrelated uploaded media will be processed or sent to backend services unexpectedly, creating consent and data-handling risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API accepts uploaded videos and public video URLs but provides no privacy, retention, consent, or data-handling warnings. Because the skill operates on surveillance-style footage in sensitive real-world environments, users may unknowingly transmit identifiable images of people, vehicles, and locations without understanding storage, sharing, or compliance implications.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code reads arbitrary local file contents into memory and transmits them to a backend analysis service without any user-facing disclosure, confirmation step, or visible restriction beyond extension and size checks. In a skill context, this can lead to unintended exfiltration of sensitive local data if a user or upstream agent supplies an unexpected file path, especially because the skill also accepts remote URLs and is framed as an analysis helper.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script sends a user identifier (`open_id`, described as OpenID/UserId/username/phone number) into analysis/list operations without any notice, minimization, or visible consent flow. In a surveillance-oriented skill, this increases privacy risk because personally identifiable information may be linked to detection history and retained by backend services.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script forwards a local file path or remote URL to backend analysis logic without warning the operator that potentially sensitive video content or references may be transmitted to an external service. Given the skill's context of monitoring parks/communities/organizations, the content likely includes people, vehicles, and location data, making silent transmission a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The request wrapper attaches identifiers and authentication headers (including pnaUserName, X-Access-Token, X-Api-Key, Authorization, tenant/skill metadata) to outbound requests without any visible user-facing disclosure in this component. In a skill advertised as computer-vision detection, hidden transmission of identity and credential material is a meaningful privacy and trust violation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The helper silently creates or logs into an external account using phone/openId-style fields derived from the username and sends them to a remote endpoint. Automatic account provisioning without an explicit prompt or notice is dangerous because it can expose personal identifiers, create shadow accounts, and bind users to external services they did not knowingly authorize.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instructions tell the agent to read api-key values from local configuration files and reuse them as open-id/user identifiers for API calls. This is dangerous because it conflates secret credentials with user identity, encourages local secret harvesting, and can leak or misuse privileged configuration values in downstream requests.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal