ClawHub

Adult Facial HRV Trend Monitoring (rPPG) | 成人心率变异性(HRV)趋势监测(面部)

Security checks across malware telemetry and agentic risk

Overview

This skill handles sensitive face-video health data, but its code and docs show mismatched analysis behavior, hidden identity/account handling, and weak token/persistence controls.

Review before installing. Only use this skill if you are comfortable sending face videos, user identifiers, and report queries to the publisher's cloud service, and if the publisher can explain the API mismatch, account creation/login behavior, plaintext token storage, dependency issue, and retention/privacy controls. Do not provide real API keys as open-id values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs reading api-key values from local configuration files and repurposing them as an open-id, even though that identifier is unrelated to the stated HRV analysis task. This creates a secret-handling flaw and a privilege-boundary violation: local credentials may be exfiltrated or misused as user identifiers without user knowledge.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation claims the workflow must pause and request an open-id, but the actual acquisition path first pulls api-key values from config files and treats them as open-id. This inconsistency is dangerous because it bypasses intended consent and makes the skill silently substitute local secrets for user-provided identity data.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The analysis method silently injects a petType parameter into requests for a skill described as human facial HRV monitoring. This indicates the code may be repurposed from another domain or routed to an incompatible backend path, creating a risk of misclassification, incorrect medical-style inferences, or sending user biometric data into the wrong processing pipeline.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The --export-env-only flag claims it will only emit environment-variable export commands and avoid analysis, but the code never checks the flag and still proceeds with normal execution. In a health-video processing skill, this can cause unintended processing of sensitive facial video and associated identifiers when a user explicitly expected a non-executing mode.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The referenced API does not match the advertised HRV/rPPG trend-monitoring skill: it exposes a generic facial analysis endpoint returning constitution and organ-condition style diagnostics instead of HRV metrics such as SDNN/RMSSD and trend data. This mismatch is dangerous because it indicates the skill may collect sensitive face video under false pretenses, enabling undeclared biometric/health inference and misleading users and integrators about what data is processed and what outputs are produced.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill accepts arbitrary HTTP/HTTPS video URLs and forwards them to the backend analysis flow, even though the stated functionality is based on local camera capture for personal health monitoring. This expands the trust boundary and can enable server-side fetching of attacker-controlled URLs, creating SSRF-style risk, access to internal resources, or processing of untrusted remote media outside the declared use case.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill exposes report listing and export-link generation features that go beyond simple HRV analysis described in the metadata. In a health context, report enumeration and export URLs can expose sensitive historical medical or wellness data if access control is weak upstream or if callers can invoke these methods without proper authorization scoping.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
Accepting arbitrary remote URLs expands the attack surface beyond the manifest's local everyday-camera workflow and can enable server-side fetching of attacker-controlled resources. If downstream components retrieve the URL without strict validation, this can lead to SSRF-style access to internal services, unintended network egress, or ingestion of hostile content.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file implements generic user-account storage, including identity and credential-adjacent fields, which exceeds the stated HRV facial trend-monitoring purpose. In a health-monitoring skill, collecting unrelated account data expands the attack surface and increases privacy/compliance risk because sensitive health context may become linkable to user identities and tokens.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores token and open_token values in plaintext fields even though the skill description does not justify credential storage. If the SQLite database is accessed by another local user, exfiltrated, or backed up insecurely, these tokens could enable account takeover, API abuse, or unauthorized linkage of health-monitoring data to external services.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This utility layer silently performs user lookup, account creation/login, token acquisition, and token persistence even though the stated skill purpose is HRV trend monitoring from camera data. That creates hidden identity and credential-handling behavior, expands the attack surface, and can cause unauthorized collection or reuse of user identifiers and access tokens without clear consent or least-privilege boundaries.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The HTTP error path injects unrelated installation and recharge instructions for a payment skill, which is outside the declared behavior of an HRV monitoring skill. Hidden cross-skill promotion or monetization logic is risky because it can mislead users, mask failures, and create unexpected workflow pivots to other services.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Hard-coded promotion of a payment skill and recharge workflow is not justified by the HRV monitoring use case and indicates undeclared commercial behavior embedded in shared request code. This can be abused for dark-pattern upsell flows or to route users into unnecessary installations unrelated to the advertised medical-style function.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The default trigger is broad enough to auto-run on any uploaded adult facial video that 'needs analysis,' which can cause unintended processing of sensitive biometric data. In the context of face video and health inference, overly broad auto-invocation increases privacy risk and reduces meaningful user consent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The history-query trigger keywords are overly broad and can invoke cloud report retrieval on vague requests for reports or history. Because these queries are tied to identity data and health-related records, accidental invocation can expose or fetch sensitive information without clear user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that uploaded attachments or video files are automatically saved locally, but it does not present a prominent warning or consent step beforehand. Since the files are facial videos containing biometric and health-related information, silent local persistence materially increases privacy, retention, and secondary-access risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill omits a clear warning that historical HRV report queries send user identifiers and health-related data to a cloud API. This is dangerous because users may believe they are performing a local query while the skill actually transmits sensitive biometric/health context to a remote service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API documentation instructs clients to upload facial videos or submit public video URLs but provides no privacy notice, retention policy, consent requirements, or handling constraints for highly sensitive biometric and health-related data. In this skill context, the omission is more dangerous because the content involves face imagery and inferred health status, creating elevated risks of unauthorized disclosure, secondary use, or non-compliant processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code reads an arbitrary local file fully into memory and sends its contents to the analysis API, but this file contains no user-facing disclosure, confirmation, or restriction beyond extension and size checks. Because the skill handles health-related facial video, silent exfiltration of local media to a remote service raises meaningful privacy and consent concerns, especially for sensitive biometric data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code automatically performs a schema alteration on startup without migration controls, operator approval, or version checks. In practice this can cause unexpected data changes, startup-time failures, or unsafe schema drift, especially in shared environments where local databases may contain sensitive user and health-related records.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The request wrapper automatically transmits user identifiers and authentication headers, including username/openId-derived data and access tokens, without any visible notice or consent gate in this code path. In a health-related skill, undisclosed transmission of identity-linked data is especially sensitive because it can enable account correlation, profiling, or leakage of protected health context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The helper creates or logs in a user by sending mobile and openId values to a remote endpoint without any obvious user-facing disclosure in this implementation. Because those identifiers are directly linkable to a person, this behavior risks unauthorized account creation, identity correlation, and privacy violations, particularly in a health-monitoring context.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal