ClawHub

Pet Soothing Trigger Analysis Skill | 宠物安抚触发分析技能

Security checks across malware telemetry and agentic risk

Overview

The skill has a plausible pet video analysis purpose, but it mixes that purpose with unsafe identity/credential handling, remote video/report access, and silent local token persistence.

Review this skill carefully before installing. Do not let it use an API key as your open-id, avoid providing a phone number unless you trust the backend service, and only upload videos you are comfortable sending to the listed cloud endpoints. Prefer a revised version that separates credentials from user identity, discloses account/token storage and retention, and removes unrelated generic health-analysis and deletion surfaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The instructions tell the agent to read local configuration files and repurpose an api-key as a user's open-id, even though that credential is unrelated to pet analysis. This is a credential-harvesting pattern that can exfiltrate secrets from the local workspace and misuse them as identity data in downstream API calls.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The document prohibits reading local memory for historical reports while separately directing the agent to read local configuration files for credentials. This inconsistency creates a confusing trust boundary and normalizes local secret access despite claiming strict data-source controls.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The `delete(cameraSn)` method exposes camera-identifier-based deletion functionality that is not explained by the declared pet-calming purpose. In an IoT/pet-care context, unexpected camera-management capability increases the risk of unauthorized device record deletion, misuse of camera-linked resources, or hidden cross-scope operations if this service is callable by other parts of the skill without strict authorization.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The documented endpoint performs face detection and human health/constitution diagnosis, which is unrelated to a pet-calming skill. This kind of scope mismatch is dangerous because it suggests the skill may collect and transmit sensitive human video/biometric data under a misleading pet-care label, increasing the risk of covert surveillance, privacy violations, or unauthorized secondary use of user data.

Context-Inappropriate Capability

High
Confidence
73% confidence
Finding
The skill advertises pet-calming actions, but this code exposes a backend deletion operation for camera-associated resources using only a camera serial number. In a mismatched context like this, destructive capabilities are more suspicious because they are not justified by user expectations and could enable unauthorized or accidental deletion of surveillance/analysis records if higher layers do not enforce strict authorization.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implemented behavior is a generic media analysis/upload workflow with polling, report generation, and export links, which does not match the declared pet-calming automation purpose. This kind of capability mismatch is dangerous because it can mislead reviewers and users about what data the skill processes, and it introduces unnecessary file/URL handling and remote analysis functionality that expands the attack surface.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill exposes report listing and export URL construction features unrelated to pet calming, creating an unnecessary data access surface. If report IDs are guessable or access controls are weak in downstream services, this could enable unintended disclosure of prior analysis artifacts or metadata.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code implements generic video analysis and history retrieval rather than any pet-calming trigger logic described in the manifest. This capability mismatch is dangerous because it can disguise a broader surveillance or data-processing function behind an innocuous pet-care description, reducing user scrutiny and enabling collection or processing of unrelated media.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The CLI accepts arbitrary identifiers such as OpenID, username, or phone number and uses them to fetch analysis history, which is unrelated to pet soothing. If exposed to users or other components, this creates an insecure direct object reference/privacy risk where an operator could query another person's history by supplying their identifier.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The command-line interface explicitly presents itself as a video analysis tool, directly contradicting the pet-calming manifest. This inconsistency is a strong indicator of deceptive packaging, which can conceal unexpected data collection or unauthorized functionality under a benign skill label.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The file defines generic user persistence including username, email, token, and open_token storage, which is unrelated to a pet-calming automation skill's stated purpose. Capability mismatch increases the risk of unnecessary collection and retention of sensitive account data, especially if the wider skill can invoke this DAO without clear user consent or minimization.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The utility layer silently performs account lookup/creation and injects platform identity fields such as tokens, usernames, tenant code, skill hub, and platform name into outbound requests. That behavior is unrelated to a pet-calming skill and creates hidden identity propagation and backend-side effects, which is especially risky because it can register users and bind actions to an identity without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code injects a recharge/payment instruction path when a 402-like condition occurs, directing the user to install a payment skill and top up an account. For a pet-calming skill, embedding unrelated billing workflow logic is suspicious because it broadens the skill's effective capabilities and can steer users into financial actions that are outside the declared purpose.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The default trigger activates on broadly described pet-video analysis requests, which can cause the skill to run in situations where the user did not specifically request this workflow. Overbroad triggering increases the chance of unnecessary file handling, remote uploads, and unintended access to monitoring footage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs automatic local saving of uploaded files without a clear prior notice, retention policy, or consent flow. Because the files are pet monitoring videos captured inside a home, silent storage creates privacy and data-handling risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs use of cloud APIs for historical report queries and video analysis without a prominent privacy warning about transmitting home surveillance content and metadata to remote services. Users may unknowingly expose sensitive behavioral, household, and identity information.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script requires a sensitive user identifier via the command line (`--open-id`), and command-line arguments are commonly exposed through shell history, process listings, audit logs, and orchestration tooling. In this pet-care context, the accepted values include OpenID, username, or phone number, which increases privacy risk because personally identifying information may be unnecessarily exposed during routine use.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The API accepts uploaded videos and public video URLs but provides no privacy, retention, consent, or data-handling guidance. Because video may contain pets, owners, homes, and bystanders, this omission can lead to unsafe collection and transmission of sensitive footage without users understanding where it is sent or how it is stored and processed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code reads arbitrary local file contents and prepares them for upload to an analysis service, but this file contains no user-facing disclosure, consent mechanism, or path restriction. In a skill presented as pet-care automation, that mismatch makes the behavior more suspicious and increases the risk of unexpected exfiltration of local media or other sensitive files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The CLI collects sensitive identifiers including phone numbers and user IDs without any privacy notice, minimization, or purpose limitation. Even if not immediately exploitable for code execution, this creates unnecessary privacy exposure and increases the risk of misuse, logging leaks, or unauthorized record access.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The DAO automatically creates and writes a local SQLite database containing user-related fields, including tokens, without any visible disclosure, consent, or safeguards in this file. Silent persistence of potentially sensitive data is dangerous because it expands the local attack surface and may surprise users who do not expect a pet-calming skill to maintain account records.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The code performs an automatic schema-altering operation on startup, modifying the sys_user table without any operator confirmation or migration controls. Unannounced schema changes can damage integrity, create compatibility issues, and conceal unauthorized expansion of collected data fields in a skill that already appears over-scoped for its stated purpose.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code transmits user identifiers and authentication material, including mobile/openId-derived login data, X-Access-Token, X-Api-Key, Authorization, and pnaUserName, without any visible disclosure or consent handling in the file. Hidden transmission of identity and auth data increases privacy risk and can expose users to account linkage, tracking, or unauthorized backend actions if misused or intercepted elsewhere.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The utility persists token and openToken values into local user storage after obtaining them from the backend, again without any visible warning or consent. Storing bearer-style credentials expands the blast radius of compromise because theft of local storage or database contents can enable account impersonation and unauthorized API use.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly tells the agent to read a local config file and reuse its api-key as a user's open-id. This crosses security boundaries by treating a local secret as user identity material, enabling credential misuse, unauthorized API access, and possible secret leakage beyond the intended component.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal