ClawHub

宠物日常健康监测分析工具

Security checks across malware telemetry and agentic risk

Overview

This pet health skill needs Review because it mixes expected cloud media analysis with under-disclosed credential, identity, account, and cross-domain health-analysis behavior.

Install only if you are comfortable sending pet or home-monitoring videos, URLs, identifiers, and possibly account credentials to the provider's backend. Do not let it use an API key as your open-id, avoid private/signed URLs, and look for clear privacy, retention, billing, and deletion terms before using report history or upload features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The mandated workflow instructs the agent to read local configuration files and reuse an `api-key` value as the user's `open-id`, which is unrelated to the stated business purpose of pet video analysis. This conflates a secret credential with a user identifier and can expose or misuse locally stored secrets during routine task execution.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document is internally inconsistent: it says API keys are optional for authentication, but the required `open-id` acquisition flow tells the agent to read `api-key` from config and use it as `open-id`. That ambiguity increases the likelihood that secrets intended only for service authentication are repurposed, disclosed, or transmitted as user identity data.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The function accepts an arbitrary remote URL via --url and passes it directly into downstream analysis logic without restricting origin, scheme, or trust boundary. In a skill intended for feeder/camera health monitoring, this broadens capability into generic remote resource processing, which can enable SSRF-like access, unintended retrieval of internal resources, or processing of attacker-controlled content depending on how skill.get_output_analysis handles URLs.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code comments indicate an OpenId/UserId check was intended, but the validation is commented out and show_analyze_list() calls skill.get_output_analysis_list() without enforcing user binding. If the downstream API does not independently enforce authorization, a caller may enumerate or retrieve analysis listings outside their own account context.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented response schema describes human face detection and human constitution/organ diagnosis, which is fundamentally inconsistent with a pet-health-monitoring skill. This kind of cross-domain mismatch strongly suggests the skill may send pet-monitoring videos to an unrelated or misrepresented backend, causing unsafe outputs, privacy misuse, and loss of operator trust in health-related results.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The API behavior described for request/response usage appears to support generic video upload or URL submission while the documented semantics point to human facial/constitution analysis rather than pet monitoring. In a health-related skill, this discrepancy is dangerous because users may unknowingly submit sensitive home or pet videos to a service that performs a different analysis than advertised.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill claims to perform pet-health video analysis, but this module initializes a persistent local database and exposes generic CRUD capabilities unrelated to that stated purpose. In an agent-skill context, unexplained data persistence broadens the attack surface and creates opportunity for covert retention or later misuse of user data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This file defines storage for usernames, email addresses, birthdays, and authentication tokens, which is far beyond what a pet-health monitoring skill needs. Collecting and persisting identity and token material without clear justification creates significant privacy and account-compromise risk if the local database is accessed, leaked, or reused by other components.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This utility performs remote user provisioning/login and persists tokens via a local DAO, which is unrelated to a pet health video analysis skill's stated purpose. It expands the skill's privilege boundary, creates hidden account linkage, and introduces credential handling risks if the remote service, local storage, or logs are compromised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code embeds a recharge/payment flow in a generic HTTP utility, which is not justified by the skill's health-monitoring function. This indicates hidden monetization behavior and can steer users into unrelated account/payment actions based on backend responses, increasing trust and abuse risks.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger conditions are broad enough to auto-invoke on common pet-health requests whenever media is present, increasing the chance of unanticipated execution. In a skill that saves files locally and sends data to external services, overbroad triggering can cause privacy-impacting actions without sufficiently explicit user confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that uploaded attachments or video/image files will be automatically saved locally, but it does not provide a user-facing warning or consent step about local retention and handling. For potentially sensitive home-monitoring footage, silent local persistence increases privacy and data exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requires the user to provide a username or phone number as `open-id` without a clear privacy notice, purpose limitation, or data-handling explanation. Collecting direct identifiers for a pet-health report workflow can expose unnecessary personal data and create avoidable privacy risk.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The tool sends a local file path or remote URL into an analysis service without clearly informing the user that this may trigger a network operation or disclose video content/metadata to a backend. This is primarily a privacy and transparency issue: users may unknowingly expose sensitive pet/home monitoring data, especially because the skill processes household surveillance-style footage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to upload videos or provide public video URLs but gives no privacy, retention, consent, or data-handling warning. Because pet-monitoring videos often capture private household spaces, people, and routines, omission of these disclosures increases the risk of unintended exposure and noncompliant handling of sensitive visual data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill reads the full contents of a local video file and sends it to an external analysis API, but this code shows no user-facing notice, consent flow, or data-handling disclosure at the point of transfer. In a pet-monitoring context, videos may contain highly sensitive household imagery, location clues, family members, or routines, so silent upload creates meaningful privacy and compliance risk.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill forwards user-supplied remote video URLs to the analysis service without any visible disclosure that the URL itself and its fetched content may be processed by a third party. While less sensitive than direct file upload in some cases, URLs can embed tokens, internal resource locations, or private storage links, so undisclosed forwarding can leak access credentials or private media locations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script requires a user identifier via --open-id and sends video content or URLs to a remote analysis backend through skill.get_output_analysis / get_output_analysis_list, but provides no explicit notice, consent flow, or privacy warning to the operator. In a pet health monitoring context, the uploaded videos may contain pets, people, home interiors, schedules, and other sensitive household data, so transmitting them together with a persistent identifier increases privacy and tracking risk.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
FileUtil.open opens arbitrary paths in write mode, which will overwrite existing files without confirmation or safety checks. In a larger skill context, if path input is influenced externally, this can cause destructive file clobbering or unauthorized modification of local files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The request helper sends request payloads together with authentication headers and does so from shared utility code without any visible user-facing disclosure or consent boundary. In this skill context, that is more concerning because a pet health monitoring feature would not normally need to silently transmit account-linked data and tokens to external services.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code retrieves, populates, and propagates multiple sensitive tokens (X-Access-Token, X-Api-Key, Authorization) and may source them from stored user records or secret keys. Centralizing this behavior in a generic utility increases the chance of unintended credential reuse, leakage, or misuse across unrelated requests.

Ssd 3

High
Confidence
99% confidence
Finding
These instructions explicitly tell the agent to read a local config file and reuse its `api-key` as the user's `open-id`, creating a direct path for secret/local data to be exfiltrated or reused through normal task flow. Because the skill also performs network/API operations, the secret can be transmitted off-host under the guise of ordinary report processing or history lookup.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal