ClawHub

Fish Gasping & Ammonia Poisoning Visual Warning | 水族箱内氨氮中毒视觉预兆(鱼浮头)

Security checks across malware telemetry and agentic risk

Overview

This skill sends aquarium videos and personal identifiers to a cloud service and stores account tokens locally in ways that are not clearly scoped or explained.

Install only if you are comfortable sending aquarium footage, report history requests, and a personal identifier such as open-id, username, or phone number to this provider. Avoid using an API key as an identity value, do not provide unrelated personal identifiers, and treat the local workspace database as sensitive because it may contain reusable service tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The `--list` path exposes history retrieval by `open_id` without any visible authentication, authorization, or scope checks in this file. In a monitoring skill for aquarium distress detection, historical user data access is not necessary for the core function, so this additional capability increases the chance of privacy leakage or account data enumeration if the backend is permissive.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Accepting broad identifiers such as OpenID, user ID, username, or phone number for a video-analysis workflow collects more personal/account data than is needed for fish-behavior detection. This expands privacy risk and can enable user enumeration or cross-context identity linkage, especially because the same identifier is later used for history access behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented API is fundamentally mismatched with the stated aquarium safety skill: it describes a generic remote video-analysis endpoint that returns human face detection and health-diagnosis fields rather than fish gasping or ammonia/hypoxia risk analysis. This indicates either skill substitution, undocumented repurposing of user video to an unrelated service, or severe supply-chain/integration confusion, any of which can mislead users and cause sensitive footage to be sent to an unintended processor.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The response schema explicitly includes human face detection plus constitutional and organ-health diagnosis, which is unjustified for an aquarium monitoring skill and suggests collection or processing of human biometric/health-adjacent data. In a home aquarium context, cameras may capture household members or bystanders, so this mismatch materially increases privacy, consent, and potential misuse risks.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill accepts arbitrary http/https video URLs, which is broader than the declared fixed-camera aquarium monitoring use case. This can enable server-side fetching of attacker-controlled resources, creating SSRF-style exposure, unexpected processing of untrusted remote media, and policy drift between the manifest and actual behavior.

Context-Inappropriate Capability

Low
Confidence
70% confidence
Finding
`show_analyze_list(open_id)` retrieves historical analysis data keyed only by a user identifier, and this file shows no authentication, authorization, or scoping checks before requesting that history. If the backend trusts caller-supplied `open_id`, an attacker could enumerate or supply another user's identifier and access prior analysis records, creating a privacy exposure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file exposes broad generic CRUD and arbitrary HTTP wrapper methods that are not constrained to the aquarium emergency-warning use case described in the skill metadata. Because callers can supply arbitrary URLs and request payloads, the skill package can be repurposed as a general network client, increasing the risk of unintended data exfiltration, unauthorized backend interaction, or capability creep beyond user expectations.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The download-URL generation method introduces file/object retrieval capability that is not clearly justified by the stated function of detecting fish gasping and issuing water-quality warnings. Even if intended for media access, it expands the skill's data-access surface and could enable retrieval of stored objects through signed URLs if misused.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The file defines a generic DAO plus a sys_user persistence model containing account-related fields that are unrelated to fish gasping/ammonia warning functionality. In a narrowly scoped safety-monitoring skill, unexplained user-account storage expands the data-collection surface and creates unnecessary privacy and security risk if credentials, tokens, or identities are later populated or exposed.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores token and open_token values in plaintext despite the skill description providing no justification for handling authentication secrets. Persisting credentials or API tokens in a local SQLite database materially increases the blast radius of filesystem compromise, backups exposure, or accidental disclosure, especially because this capability is unrelated to aquarium video analysis.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility code performs remote account lookup/creation, token management, and payment-state handling that is unrelated to the stated aquarium-camera safety function. In a skill that is supposed to analyze fish behavior locally or through camera inference, silently creating accounts and attaching authenticated backend flows expands the attack and privacy surface significantly and can enable unauthorized data transmission or service-side actions under a user identity.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code automatically invokes a phone-login/registration flow using a username/openId/mobile value and may create a backend user if tokens are missing. That behavior is not justified by the aquarium emergency-warning description and is dangerous because it can register users or link identifiers to backend accounts without clear notice, consent, or necessity.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The default trigger condition activates on essentially any uploaded aquarium video needing analysis, which is broader than necessary for an emergency fish-gasping detector. Overbroad auto-triggering is risky because it can cause unintended processing, upload, or retention of user media without clear intent, especially when the skill also performs cloud/API interactions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API accepts uploaded videos and publicly accessible video URLs but provides no privacy notice, retention policy, transmission safeguards, or handling requirements. Because aquarium cameras are often installed in homes or semi-public environments, submitted footage may contain people, interiors, or other sensitive context, making silent remote transfer and processing a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code uploads local file contents or submits remote video URLs to a backend analysis service without any user-facing notice, consent, or data-handling disclosure in this file. For a camera-monitoring skill, video may contain sensitive environmental or household information, so silent transmission increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The CLI requires `--open-id` and describes it as an OpenID/UserId/username/phone number, which are sensitive identifiers, but provides no minimization, masking, consent notice, or safer alternative. Collecting and transmitting such identifiers increases privacy risk, especially because phone numbers and usernames may be personally identifying and could be logged, stored, or reused across requests.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
This code silently creates a local SQLite database and writes application state without any indication in the skill description that persistent local storage will occur. In the context of a fish-behavior alerting skill, undisclosed persistence is risky because it can collect or retain user/account data beyond user expectations, increasing privacy exposure and forensic surface.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The DAO performs an automatic ALTER TABLE against sys_user on initialization, changing local persistent state without explicit disclosure or migration controls. Silent schema mutation is dangerous because it can unexpectedly expand the kinds of user data retained and makes it harder to audit or consent to storage behavior in a skill whose stated purpose is only behavioral fish monitoring.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The request path transmits identifiers and authentication material such as openId/mobile-derived username, X-Access-Token, X-Api-Key, and Authorization headers to remote services without any visible consent or disclosure mechanism in this code. In the context of a fish-monitoring alert skill, this is disproportionate to the advertised purpose and increases privacy, account, and backend abuse risks if endpoints or logs are compromised.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to fetch and display all historical warning reports from a cloud service whenever broad history-related phrases are detected. This is dangerous because it can expose prior records, event metadata, and report links in natural language output without clear verification of authorization, least-privilege scoping, or need-to-know limits.

Ssd 3

High
Confidence
98% confidence
Finding
The open-id acquisition flow tells the agent to read an api-key from local or shared config files and repurpose it as a user identity value. This is highly dangerous because it explicitly converts secret configuration material into an identity token, encouraging credential exposure, secret misuse, cross-user confusion, and unauthorized API access if shared configs are harvested.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal