ClawHub

Pet Oral Snapshot & Gum Redness Recognition | 宠物口腔抓拍与牙龈红肿识别

Security checks across malware telemetry and agentic risk

Overview

The skill’s pet oral-health analysis purpose is mostly coherent, but it also silently creates or reuses account tokens and stores them locally, which is more authority than the user-facing description clearly explains.

Review before installing. Use this only if you are comfortable sending pet mouth images/videos or URLs, user identifiers such as open-id/username/phone, and platform metadata to the configured LifeEmergence remote services, and with the skill storing account tokens in a local workspace SQLite database for later requests. Avoid giving it sensitive local files, and prefer a dedicated non-personal identifier if the platform allows it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (28)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The manifest presents the skill as image-based oral observation, but the body expands it into cloud-backed historical report retrieval and account-linked data handling. This scope expansion is risky because users and security reviewers may approve a seemingly narrow analysis skill while it actually performs broader data access and persistence operations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Requiring an open-id sourced from local config files or directly from user identifiers such as phone number/username is broader than necessary for simple image analysis and couples analysis to identity collection. This creates unnecessary exposure of personal identifiers and local secrets, especially because the workflow also ties them to remote history queries and persistent records.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill manifest describes an analysis-oriented capability for pet oral snapshots, but this service also exposes generic record-management methods including add, edit, and delete. That mismatch expands the attack surface beyond the declared purpose and can enable unauthorized state-changing operations if these methods are reachable through the skill or reused by other components without strict access controls.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The delete method performs a camera-linked deletion by cameraSn, which is not justified by the stated oral-health image analysis purpose. In a pet-camera ecosystem, exposing deletion tied to a device identifier could allow accidental or unauthorized removal of records associated with a camera if the function is invoked with attacker-controlled input.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script exposes a user-specific history listing path via `--list` and `show_analyze_list(open_id)` even though the skill is described as a one-shot oral snapshot analysis tool. This creates a broader data-access surface than advertised and may enable unintended retrieval of prior pet health observations tied to a user identifier, especially since `--open-id` accepts weak identifiers such as username or phone number and there is no visible authorization check in this file.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented endpoint and response schema are materially unrelated to the skill’s declared purpose of pet oral-health observation. A skill that claims to analyze pet gums/tartar but documents a generic 'common-analysis' API returning human face detection and constitution/organ assessments indicates either severe integration mismatch or deceptive functionality, which can cause sensitive user media to be sent to an unintended analysis service.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The API behavior described from the request/response section does not align with the claimed pet oral-health use case: it accepts video and returns human-oriented diagnosis data such as face detection, organ condition, and lifestyle suggestions. In this context, the mismatch is dangerous because users are prompted to provide pet mouth imagery while backend behavior suggests unrelated processing, creating risk of undisclosed collection, misrouting, or repurposing of uploaded media.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill manifest describes an analysis-only capability for pet oral snapshots, but this API service also exposes record-management methods for listing, adding, editing, paging, and deleting backend records. This expands the skill’s effective authority beyond its stated purpose, increasing the attack surface and enabling misuse of backend data-management functions that users and integrators would not reasonably expect from an analysis skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The delete(cameraSn) method allows deletion of camera-associated records even though the skill is presented as an oral health analysis tool. In this context, destructive data operations are especially risky because camera identifiers may map to user devices or collected pet-monitoring data, so abuse could cause unauthorized loss of records or tampering with audit/history data.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill exposes a history-listing function keyed only by a caller-supplied open_id/user identifier, which creates a risk of unauthorized access to another user's prior analysis records if the backend does not enforce strong authorization. In a pet health/media context, historical oral image or video analysis can reveal sensitive behavioral, household, or account-linked information, so this extra capability is more dangerous than the manifest suggests.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This helper exposes generic add/edit/delete/list/page and arbitrary HTTP verb wrappers that can call essentially any backend URL, which is broader than the declared pet oral-health analysis purpose. In a skill that may process user-supplied file paths or network URLs, this overbroad capability increases the attack surface and makes it easier for other parts of the skill to perform unintended data access or side-effecting operations beyond image analysis.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The get_user_by_username capability is unrelated to pet oral snapshot analysis and introduces access to identity-related data in a skill that does not need it. Even if not actively abused here, unnecessary user lookup functions expand reachable sensitive functionality and can enable account enumeration or privacy exposure if invoked by other code paths.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
This module provides broad local persistence and mutation capabilities, including generic CRUD operations and local database creation, that exceed the narrowly described pet oral-health snapshot analysis behavior. In skill ecosystems, unnecessary data storage expands attack surface and increases the chance of undisclosed collection, retention, or misuse of user-associated data.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The presence of a sys_user model with account fields such as username, realname, email, birthday, token, and open_token is not justified by a pet oral snapshot analysis skill. Unrelated user-account storage in a narrowly scoped media-analysis skill increases privacy risk and suggests hidden or excess data handling beyond user expectations.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
The code derives a workspace path from environment state and creates a local SQLite database under a data directory, which is unrelated to the manifest's narrow oral-analysis role. Even without direct exploit primitives, this introduces undisclosed local statefulness and persistent data storage that can surprise users and complicate secure deployment.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The HTTP utility silently auto-registers or logs in a user via /sys/phoneLogin, obtains tokens, and persists them locally, even though the stated skill purpose is pet oral-image analysis. This creates undisclosed account creation and credential handling behavior, expanding data collection and identity linkage well beyond what is necessary for the feature and enabling unauthorized use of a user's phone-like identifier or account context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The request wrapper injects tenant, skill hub, platform, and pnaUserName metadata into all outgoing requests by default. For a pet oral snapshot analysis skill, this broad identity and platform tagging is unnecessary for core image analysis and increases privacy exposure, correlation across services, and the risk of leaking user context to endpoints that do not need it.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
On HTTP 402, the skill returns instructions to install a separate payment skill and recharge the account, which is unrelated to oral-analysis output. This introduces undeclared commercial workflow steering inside a utility layer and can manipulate users into installing additional capabilities or revealing billing information unexpectedly.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger logic is broad enough to auto-activate on routine pet oral images/videos and related keywords, which increases the chance of unintended execution. In a skill that saves files, reads configs, and contacts remote APIs, overly eager triggering can cause data handling and network transmission without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Automatically saving uploaded files locally without a clear notice or consent introduces avoidable privacy and retention risk. Users may expect transient analysis, but the skill instead creates local artifacts that could persist, be accessed by other components, or be mishandled later.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill allows local files or supplied URLs to be sent to server-side APIs without clearly warning users that pet images/videos and associated metadata may leave the local environment. That remote transmission risk is amplified because users may assume the skill is only performing local analysis based on the high-level description.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow instructs the agent to collect a username or phone number as open-id without a corresponding privacy warning, minimization rationale, or safer alternative. Collecting direct identifiers for a pet image analysis workflow unnecessarily raises privacy risk and can expose sensitive personal data if mishandled or logged.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly supports file upload and public URL submission of pet video data but provides no notice about storage, retention, third-party sharing, or handling of potentially sensitive household recordings. Because this skill is intended for pet cameras and smart home scenarios, the absence of privacy and data-handling disclosures increases the chance of covert collection or misuse of ambient video from users’ homes.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill reads arbitrary local file contents and forwards them to a remote analysis API, but this code shows no user-consent prompt, path restriction, or trust boundary warning. In an agent environment, this can lead to unintended exfiltration of local data if a user or upstream workflow supplies a sensitive file path instead of the expected pet-media input.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Sensitive token fields are modeled for storage in a local SQLite database without any protection mechanism shown in this file, such as encryption, redaction, or lifecycle controls. If the database file is read from disk, backed up, or accessed by another local process, these tokens could enable account or API compromise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal