ClawHub

Fish Flashing & Scraping Detection (Ectoparasite Warning) | 鱼类擦缸/蹭底行为识别(外寄)

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a remote fish-video analysis tool, but it also handles user identifiers, account login, token storage, and cloud report history more broadly than the main description makes clear.

Review carefully before installing. Use this only if you are comfortable sending aquarium video or video URLs to the configured external service and associating reports with an open-id. Avoid using a phone number as the identifier if possible, do not pass sensitive identifiers on the command line, and assume the skill may create backend account state and store tokens locally for report history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill requires retrieving an open-id from local configuration files or from user identifiers such as username or phone number before analysis. For a video-based fish health warning skill, this introduces unnecessary identity handling and local secret access, increasing the chance of credential exposure, privacy leakage, or unauthorized reuse of account identifiers.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill's documented behavior includes cloud history lookup and report-management features that are not reflected in the high-level manifest description. Hidden secondary behaviors are risky because users may trigger broader data retrieval and cross-session record access than they intended, especially when combined with open-id based querying of historical reports.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The CLI requires an open_id and explicitly states it may contain OpenID, user ID, username, or phone number, which is broader and more sensitive than necessary for fish-behavior video analysis. Collecting unnecessary identifiers increases privacy risk, creates avoidable exposure in shell history/process listings/logs, and expands the impact if downstream storage or telemetry is compromised.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documented endpoint and example response are fundamentally unrelated to the advertised fish flashing/scraping detection skill: they describe a generic video upload API that returns human face detection and TCM-style health diagnosis data. This mismatch is dangerous because it suggests the skill may route aquarium video to an unrelated human-analysis backend or that the published documentation is deceptive, creating a serious risk of unintended data processing, capability misrepresentation, and user trust violations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The response schema explicitly includes face_detection, constitution diagnosis, organ-condition analysis, complexion analysis, and health advice for humans, which is incompatible with an aquarium monitoring skill. In this context, unrelated human-analysis functionality is especially concerning because fixed cameras may capture people near tanks, so a mislabeled or swapped backend could process human imagery without informed consent.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file exposes generic report listing and report-image export behavior that is broader than the aquarium flashing/scraping detection purpose described in the manifest. This scope expansion can leak historical analysis metadata or report artifacts to callers who only expected narrow real-time detection functionality, increasing data exposure and misuse risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill accepts arbitrary http/https URLs and forwards them for analysis, which introduces network-ingestion capability beyond a fixed local camera workflow. This can be abused to make the backend fetch untrusted remote resources, potentially enabling SSRF-like access to internal services or processing of attacker-controlled content.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script exposes a history-listing function keyed only by a caller-supplied open_id, which is broader than the stated single-purpose fish flashing/scraping analysis workflow. If the backing service does not enforce strong server-side authorization, an attacker could enumerate or retrieve other users' analysis history by providing another identifier, creating an insecure direct object reference and unnecessary data exposure.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
The file implements generic user-account storage and management, including usernames and authentication tokens, which is unrelated to a fish flashing/scraping detection skill. This mismatch materially increases risk because it introduces identity and secret-handling capabilities that expand the attack surface and suggest unnecessary collection or persistence of sensitive user data.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The User model stores sensitive identity and credential-like fields such as username, email, token, and open_token without any justification from the skill’s declared aquarium-monitoring purpose. In context, this is especially concerning because a behavior-analysis skill should not need long-lived user secrets, and local plaintext token storage can enable account compromise if the host is accessed.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This utility code performs automatic phone-login/registration against an external backend and persists returned tokens locally, which is unrelated to the stated fish flashing/scraping detection purpose. That creates hidden account provisioning and credential handling behavior that can transmit user identifiers off-device and expand the skill's privileges far beyond video analysis, increasing privacy and supply-chain risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code has unjustified capability to create accounts, fetch tokens, and update persisted authentication material for an unrelated backend service. In the context of an aquarium-behavior monitoring skill, this is overbroad functionality that could be abused for unauthorized backend access, silent account creation, or collection of user-linked identifiers without a clear need.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The default trigger is broad enough to activate on nearly any aquarium video analysis request, which can cause the skill to run and collect/process data without sufficiently specific user intent. In a skill that also performs remote API calls and account-linked history access, over-triggering materially increases privacy and misuse risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Collecting sensitive identifiers on the command line is dangerous because command-line arguments are commonly exposed through shell history, process monitors, orchestration logs, and crash reports. The lack of privacy notice or safer input path makes accidental disclosure more likely, especially in shared systems or managed environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs clients to transmit videos and an API key to a remote server but provides no privacy, retention, access-control, or sensitive-data guidance. Because aquarium cameras can incidentally capture humans, homes, or other identifying context, omission of these warnings increases the risk of silent collection, over-sharing, and insecure operational use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code reads full local file contents or forwards a user-supplied URL to an external analysis service without any user-facing notice, consent prompt, or visible disclosure in this file. In a monitoring context, uploaded videos may contain sensitive environmental information, so silent transfer creates privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The request helper automatically attaches user identifiers and authentication headers such as X-Access-Token, X-Api-Key, Authorization, and pnaUserName to outbound requests without any user-facing disclosure in this code. Even if sent over HTTP(S), this creates a privacy and transparency issue and broadens the consequence of endpoint misuse or compromise because identifying data and tokens are propagated by default.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal