ClawHub

Pet Grooming Effectiveness & Hairball Risk Analysis | 宠物梳毛器梳理效果与毛球风险

Security checks across malware telemetry and agentic risk

Overview

This skill mostly fits a remote pet-grooming analysis use case, but it has under-disclosed identity, account, token-storage, and cross-scope backend behavior that users should review carefully.

Install only if you are comfortable sending pet media, URLs, and a user identifier to the vendor's remote service, and with the skill creating or using backend account tokens that may be stored locally. Do not put real API keys in fields that may be reused as open-id, and review the vendor's privacy and retention terms before using history/report features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises broad operational capabilities including file read/write, network, shell, and environment access without declaring permissions or clearly constraining their use. This weakens reviewability and can let a seemingly simple media-analysis skill access local data, invoke scripts, and contact remote services in ways users and integrators may not expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior goes beyond pet grooming analysis into account/bootstrap flows, token handling, history retrieval, and report-link generation. This mismatch is dangerous because reviewers or users may authorize the skill for innocuous image analysis while it also processes identity data and interacts with broader backend functionality not transparently disclosed.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to read a local configuration file and reinterpret an api-key as a user's open-id. This is a classic sensitive-data misuse issue: a secret meant for service authentication is repurposed as user identity, risking credential exposure, cross-user confusion, and unauthorized access to another account's cloud history or reports.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The instructions are internally inconsistent: they tell the agent both to prompt the user for open-id and to silently pull an api-key from config and use it as open-id. Such ambiguity often leads agents to choose the path of least resistance and consume local secrets without informed user consent, increasing the chance of identity mix-ups and data leakage.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill manifest describes an analysis-oriented capability, but this file exposes broader record-management methods including page/list/add/edit/delete. That expands the attack surface beyond user-expected behavior and can enable unauthorized state changes or data manipulation if these methods are reachable through the skill runtime or shared base APIs. In a grooming-analysis skill, these extra operations are not justified by the stated purpose, which makes them more suspicious and increases the risk of abuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A delete operation keyed by cameraSn is especially concerning because it targets device- or camera-associated records in a skill whose purpose is pet grooming effectiveness analysis. If exposed, this could delete device data or operational records unrelated to the user’s requested analysis, causing integrity loss and potentially disrupting connected systems. The mismatch between grooming analysis and camera/device deletion makes this more dangerous in context, not less.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documented response schema is for human face detection and health/constitution diagnosis, which is unrelated to the advertised pet grooming analysis. This mismatch strongly suggests the skill may route user-provided pet media to a different backend capability than disclosed, creating a serious risk of deceptive data collection, unauthorized biometric processing, or hidden repurposing of uploaded videos.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The API documentation describes a backend that accepts video uploads/URLs and returns human face detection and health diagnosis results, not pet coat or shed-hair analysis. In the context of a pet grooming skill, this is especially dangerous because users are likely to trust the benign framing and may unknowingly submit sensitive media to a human-analysis service, indicating possible covert scope substitution.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata describes an analysis-only capability for grooming image/video inputs, but this API service also exposes record-management methods such as add, edit, page/list, and delete. That scope mismatch increases the attack surface and could let the skill access or modify backend records unrelated to the user’s requested analysis, violating least privilege and enabling unauthorized data tampering if these methods are reachable.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The legacy report-listing path reads and displays unrelated healthAiResponse and faceAnalysisResponse fields even though this skill is described as a grooming-effectiveness analyzer. That creates a data-minimization and cross-scope exposure issue: users invoking a pet grooming skill could receive or infer unrelated health-analysis data if such payloads are present in backend responses.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The comments claim the code only relays report-list API output, but the implementation derives judgments from unrelated health/face analysis payloads. This mismatch increases the risk of hidden data exposure and makes security review and operator expectations inaccurate, which is especially problematic when handling potentially sensitive analysis records.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill manifest describes pet grooming media analysis, but this module creates and mutates a persistent local SQLite database in a shared workspace path. That mismatch expands the skill's data-handling scope and creates unnecessary persistence, which can retain user-related data or enable cross-run data access beyond what users would reasonably expect from image/video analysis.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file exposes full CRUD operations for user records, including lookup, update, and deletion, even though the advertised skill purpose is grooming-effectiveness analysis on pet media. Such unnecessary account-oriented data operations significantly broaden the attack surface and could be repurposed to store, alter, or remove unrelated user data if reachable from agent workflows.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores usernames, email, birthday, and especially token/open_token fields, which are highly sensitive and unrelated to pet grooming image analysis. Persisting credentials or session-like tokens in a local SQLite database greatly increases the consequences of filesystem exposure, backup leakage, or unintended code paths reading this data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The HTTP helper performs unrelated security-sensitive actions: automatic phone-based account creation/login, token acquisition, token persistence, and a payment/upsell flow. For a grooming-analysis skill, this hidden expansion of scope increases the chance of unauthorized account actions, undisclosed data transfer, and misuse of user identity or service credentials.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This code silently derives a username from API secrets or current user identifiers, looks up stored tokens, and if absent creates or logs in a user automatically. That behavior exceeds expected image/video analysis and can cause unauthorized identity binding, backend account creation, and persistent credential management without transparent user approval.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad and keyword-driven, including generic phrases around reports, grooming, shedding, and health-risk queries. Overbroad auto-invocation can cause the skill to activate unexpectedly, process attachments or query cloud history without clear user intent, and increase accidental exposure of files or personal report data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not clearly warn that uploaded local files, remote URLs, and user identifiers are sent to server-side APIs and cloud history services. This creates a transparency and consent failure: users may think analysis is local or limited in scope when their media and identifiers are actually transmitted remotely and stored for later retrieval.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The delete method performs a destructive server-side action with no visible confirmation, warning, or explanatory guardrails in this code path. If callable through the skill or inherited interfaces, users or upstream components could trigger irreversible deletion without understanding the consequences. In this skill context, deletion is already unjustified, so the lack of confirmation compounds the risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API documentation instructs clients to send videos or public URLs plus an API key, but provides no privacy, retention, or sensitive-data handling notice. Because video content may include people, homes, pets, and metadata, the absence of disclosure and safeguards increases the risk of improper collection, transmission, and storage of sensitive media.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code reads the entire local file and sends it to a server-side analysis API, but this file contains no visible disclosure, consent prompt, or warning that local media will be uploaded off-device. For user-provided pet photos/videos, this can create a privacy risk if operators or users assume analysis is local or are unaware that potentially sensitive metadata and imagery are transmitted to a remote service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script requires an open_id that may contain sensitive identifiers such as a phone number, username, or user ID, and the help text explicitly encourages those values without any warning, minimization, or privacy notice. In this skill context, media analysis may already involve personal pet-care data, so silently coupling it with direct identifiers increases privacy risk and can expose users to unnecessary data collection or linkage across historical records.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When debug mode is enabled, urllib3/http.client debugging and root logger DEBUG level can emit full request/response details, which may include tokens, identifiers, URLs, and payload content. Even if some later logs truncate headers, low-level HTTP debug logging can still leak sensitive data to logs without user awareness.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The utility saves user-derived token material via DAO persistence as part of normal request handling, but this storage is implicit and unrelated to the visible grooming-analysis action. Persisting tokens or user records without clear disclosure or minimization increases the risk of credential theft, privacy issues, and cross-skill account linkage.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly directs reading a local config file and reusing its api-key as the user's open-id, which can expose credential-like material and substitute machine/service secrets for user-provided identity. In this skill's context, that could let the agent query or create grooming-history records under the wrong identity and leak backend-linked data through report listings or links.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal