ClawHub

Fish Feeding Behavior Activity Analysis | 鱼类摄食行为活跃度分析

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the advertised fish-feeding video analysis, but it also sends identifiers and media to a remote service, silently provisions/stores account tokens, and includes mismatched human-health API documentation.

Review before installing. Use only if you are comfortable sending aquarium videos/URLs and a user identifier such as a username or phone number to the lifeemergence.com service, and with the skill storing service tokens locally. The publisher should replace yaml with PyYAML, remove or document the unrelated human-health docs and unused destructive wrappers, and add explicit consent/retention details for uploads, account creation, billing, and token storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The API documentation exposes an optional endpoint to trigger a linked action that can automatically adjust the next feeding amount, which conflicts with the later red-line requirement that device control changes must not occur without explicit user confirmation. In an IoT feeding context, this inconsistency can lead implementers to build autonomous behavior that changes real-world device operation based on imperfect analytics, potentially harming fish through underfeeding or overfeeding.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The skill exposes a remote delete operation keyed only by cameraSn, but the stated purpose is post-feeding video analytics and appetite alerts, not record or device deletion. In a smart-camera / feeder context, an unnecessary delete pathway increases the risk of unauthorized removal of camera-linked records or configurations if higher-layer access control is weak or misused.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The API documentation is fundamentally inconsistent with the declared fish-feeding analysis purpose: it documents a generic video-analysis endpoint returning human face detection and health/constitution diagnosis. This indicates either the skill is wired to the wrong backend or the skill description is misleading, both of which create a serious trust and data-handling risk because users may upload aquarium footage to an unrelated service or receive outputs from an entirely different analysis domain.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The documented response explicitly contains human-oriented fields such as face detection, complexion, organ condition, and health warnings, which directly contradict the skill's stated fish-feeding functionality. In the skill context, this mismatch is more dangerous because operators may trust the skill for animal-health monitoring while the underlying service appears designed for human biometric or health inference, leading to misrouted data, invalid conclusions, and possible hidden collection of sensitive imagery.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This model stores authentication-related secrets such as token and open_token in a local SQLite database, yet there is no evidence of encryption, hashing, access controls, minimization, or retention limits. In the context of a fish-feeding analytics skill, this capability is not clearly justified, so compromise of the local DB could expose credentials or bearer tokens that enable account takeover or unauthorized API access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility module contains account provisioning, token handling, user persistence, and payment/recharge logic that are unrelated to fish feeding video analysis. That scope mismatch is dangerous because it creates hidden security-sensitive behaviors in a broadly reusable helper, increasing the chance of unauthorized account creation, credential misuse, and unexpected network activity without clear user consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can silently register or log in a user by sending identifiers such as openId/mobile to an external health endpoint with "silent" and "register" enabled. For a fish-feeding analysis skill, this is unjustified functionality and creates a serious risk of undisclosed data transmission, account creation, and cross-service identity linkage.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code reads, stores, updates, and clears user token records in local persistence through DAO operations, despite the skill being presented as a video-based feeding activity analyzer. Persisting tokens broadens the blast radius of compromise because any leakage or misuse of the local store could enable replay or unauthorized access to linked services.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The utility returns user-facing instructions to install a payment skill and recharge an account when a 402 condition is encountered, which is unrelated to fish feeding analysis. This indicates hidden monetization and dependency behavior embedded in common request handling, making the skill's true operational scope broader than disclosed and potentially manipulating users into billing actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger rules are overly broad: the skill auto-runs by default on uploaded feeding videos and also on generic keywords. Broad auto-invocation can cause unintended processing of user media and identifiers, increasing the chance of privacy-impacting actions or remote API calls without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that uploaded attachments or videos are automatically saved locally, but it does not provide a clear upfront notice, retention control, or consent flow tied to that storage. Automatic local persistence of user media is a privacy and data-handling risk, especially for camera footage that may contain sensitive environmental information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill requires cloud API queries for historical reports using an open-id, while prohibiting local alternatives, but it does not clearly warn users that identifiers and report data will be sent to a remote service. This creates a privacy risk because user-linked activity history is transmitted off-device without a transparent consent or disclosure step.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The delete wrapper performs a destructive remote action with no indication in this code of confirmation, guardrails, or auditability. In the context of aquarium cameras and feeder systems, accidental or unauthorized deletion of device-associated records can impair monitoring history, diagnostics, or service continuity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs clients to upload video files or publicly accessible video URLs to a remote endpoint but provides no warning about off-device transmission, storage, retention, or privacy implications. Even though aquarium footage is often lower sensitivity than human data, the risk is elevated here because the same document suggests the backend may perform face or health analysis, meaning users could unknowingly send human-containing video to a remote service without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill accepts either a local file path or a remote video URL and forwards that content to an external analysis service, but this file shows no user-facing notice, confirmation, or consent flow before transfer. Because the skill processes aquarium or feeder camera footage, the uploaded media may contain sensitive environmental or household information, making silent transmission a privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script requires an `--open-id` value and stores it globally for subsequent remote analysis/list operations, but it provides no privacy notice, consent prompt, minimization, or masking. Because the accepted identifier may be a username, phone number, or other personal identifier, users can unknowingly transmit personal data to backend services, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool performs remote video analysis when given a local file path or URL, but it only prints that analysis is starting and does not clearly disclose that video content and associated identifiers may be transmitted off-device. In this skill's context, aquarium camera footage may still reveal household, facility, or operational information, so silent upload/remote processing increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The request path automatically attaches user identifiers and authentication headers, and may also add tenantCode, skillHubName, skillPlatform, and pnaUserName to outbound requests, without any evidence of user-facing notice in this file. In the context of an aquarium analysis skill, this undisclosed transmission is more suspicious because the collected identity and auth data are not obviously necessary for local feeding-video analysis.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal