ClawHub

����ʶ���������

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a face-recognition cloud integration, but it also contains under-disclosed account, token-storage, and health-analysis/report behavior that users should review before installing.

Install only if you are comfortable sending images or videos containing faces to the Life Emergence/SMYX cloud services, linking those reports to a username/phone/open-id, and allowing the skill to store API tokens locally. Review the backend account flow, token handling, report-retention policy, and whether the service performs only familiar-person recognition rather than health or physiognomy-style analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill exposes significant capabilities including environment access, file read/write, network access, and shell execution, yet declares no permissions. This undermines informed consent and security review because a user or platform may treat it as low-risk while it can save files locally, read configuration, invoke shell commands, and contact external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose is face recognition, but the skill behavior reportedly includes account/login provisioning, token storage, generic report retrieval, and export functionality not clearly disclosed in the description. This mismatch can conceal sensitive data handling and broader backend access than users expect, increasing the risk of unauthorized account actions, privacy violations, and misuse of stored credentials or tokens.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documented response schema describes face-based constitution, organ-condition, and health-warning outputs rather than familiar-person recognition. This indicates the skill may be wired to a physiognomy/health-inference API that processes facial imagery for sensitive health-related conclusions, which is a serious mismatch from the stated identity-recognition purpose and can enable undisclosed collection or inference of sensitive personal data.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The API behavior described in the document is for health/physiognomy analysis of uploaded video, not acquaintance recognition. In a skill explicitly marketed for recognizing known individuals in homes and offices, this mismatch is dangerous because operators may unknowingly send biometric data to a service performing sensitive attribute inference outside user expectations or consent.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is described as familiar-person recognition, but the code explicitly processes and surfaces `healthAiResponse` and related report-export behavior. This indicates cross-domain functionality that can expose sensitive health-analysis outputs through a skill that users would reasonably expect to handle only identity/face-recognition tasks, creating a data-scope and privacy boundary violation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The report-listing code extracts `healthAssessment.subject` from `healthAiResponse` or `faceAnalysisResponse` and displays it in historical report output, despite the skill being for familiar-person recognition. This can leak sensitive health-related inferences to users of an unrelated skill and broadens access to special-category personal data without clear purpose limitation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file implements a generic local persistence layer for broad user-record CRUD, including account-style fields, rather than a narrowly scoped face-recognition analysis component. In the context of a skill advertised for familiar-person recognition, this expands data collection and mutation capabilities beyond user expectations and increases privacy and abuse risk if invoked by other components.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores token and open_token fields in a local SQLite database, which are effectively credentials or bearer secrets. In a face-recognition analysis skill, retaining such tokens is not clearly justified and creates a significant compromise path: anyone who accesses the DB file may gain downstream account or API access.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The HTTP helper silently performs account creation/login via /sys/phoneLogin using a username/openId and then persists returned token and openToken values locally. For a familiar-person recognition skill, this is unrelated to core image-analysis functionality and creates hidden identity, account, and credential-handling behavior that could cause unauthorized account provisioning and long-lived token storage without explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The request handler injects a cross-skill payment/install workflow when a 402 response occurs, telling the user to install another skill and recharge. Embedding monetization or cross-skill activation logic inside a low-level network utility is outside the stated recognition purpose and can be abused to steer users into unrelated actions from a privileged code path.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions include broad, common phrases that can cause the skill or its report-listing mode to activate unintentionally. In this context, accidental activation is more dangerous because the skill handles biometric data, may save uploads locally, and can query cloud-hosted historical reports tied to an open-id.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that uploaded image/video attachments are automatically saved as local files without a clear warning or consent flow. Because the content is biometric and surveillance-related, undisclosed local persistence increases privacy, retention, and secondary-access risks if the host or other tools can read those files later.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to upload videos or provide publicly accessible video URLs without any warning about privacy, consent, retention, or handling of biometric/sensitive imagery. Because this skill concerns face analysis in homes and offices, the absence of privacy guidance increases the risk of exposing identifiable people, surveillance footage, and other sensitive content to unauthorized parties or third-party services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document tells users to send an X-API-Key but provides no warning about credential protection, storage, rotation, or avoiding client-side exposure. This can lead to accidental key leakage in frontend code, logs, screenshots, or shared examples, enabling unauthorized API use and access to sensitive video-analysis capabilities.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code reads arbitrary local file contents and sends them to the remote analysis API via `files`, but this file contains no user-facing disclosure, confirmation, or minimization controls. In a biometric-analysis skill, this is particularly sensitive because uploaded images/videos may contain faces and other personal data, so silent transfer to a backend increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script requires a sensitive user identifier via the --open-id command-line argument, which may contain OpenID, user ID, username, or phone number. Command-line arguments are commonly exposed through shell history, process listings, job control tools, logs, and telemetry, so this can leak personally identifiable information and account-linked identifiers during normal operation. In the context of a face-recognition/identity-verification skill, the sensitivity is elevated because the identifier is associated with biometric analysis results.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends credential-related identity data (openId, mobile, source) to a remote endpoint to create or retrieve an account, but there is no visible notice, consent, or disclosure to the user. In a face-recognition skill context, undisclosed transmission of identifiers materially increases privacy and trust risk because the skill already processes sensitive identity-related data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Retrieved authentication tokens are written into local user records without any visible warning, consent, or security controls shown here. Persisting bearer tokens extends the blast radius of compromise and may enable replay or unauthorized API access if the local store is exposed.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal