ClawHub

Public Place Group Emotion Index (Exhibition / Mall) | 公共场所群体情绪指数(展览/商场)

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it handles public-camera video, identity-linked accounts, cloud uploads, and stored tokens in ways that are broader and less disclosed than its privacy-preserving description suggests.

Install only after the publisher clarifies cloud processing, retention, consent, and account creation. Do not submit public-camera footage unless you have legal authority and visible notice for affected people. Use a pseudonymous open-id rather than a phone number or username, avoid overprivileged API credentials, and fix the `yaml` dependency before installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims anonymized, non-identifying analysis, yet requires an open-id that may be a username or phone number and uses it to save and query reports. This creates direct linkability between surveillance-derived analytics and a real-world identifier, defeating the privacy claim and increasing the risk of tracking, profiling, or unauthorized access to historical reports.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill markets itself as privacy-preserving and says it should not store personal features, but its documented automatic behavior saves uploaded videos locally before analysis. For public-place camera footage, local persistence materially raises the risk of retaining identifiable imagery, unauthorized reuse, breach exposure, and policy noncompliance.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code injects a petType parameter into the analysis request even though the skill is described as public-place group emotion analysis for people. This indicates functionality drift or code reuse from another domain, which can cause the service to invoke unintended model behavior, misroute data, or process inputs under the wrong analysis mode; in a surveillance/emotion-analysis context, that increases the risk of misleading outputs and undocumented data handling.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The inline comment explicitly references pet-type functionality, reinforcing that this code was copied or repurposed from an unrelated skill. That inconsistency is dangerous because it suggests the implementation may not match the declared purpose, undermining trust, increasing the chance of hidden or unintended behaviors, and potentially causing incorrect analytics in a sensitive public-monitoring deployment.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The API documentation is materially inconsistent with the declared skill purpose. A skill advertised as anonymous group-emotion aggregation instead documents a generic face-analysis and health-diagnosis API, which can mislead integrators into collecting and submitting identifiable facial video for unrelated biometric/health inference. In the context of public-place surveillance, this capability drift materially increases privacy, compliance, and misuse risk.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The documented response includes individualized constitution, organ-condition, complexion, and health-warning inferences from facial video, which goes far beyond anonymous crowd-level emotion analysis. This represents sensitive biometric and health profiling without justification from the stated use case, creating severe privacy, regulatory, and abuse risks—especially in public venues where subjects may not have meaningful consent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill manifest describes anonymous group-emotion analysis and report generation, but this API client also exposes add, edit, and delete operations that can modify managed resources. That capability expands the attack surface from read/analysis into configuration or asset management, creating a privilege and scope mismatch that could enable unauthorized changes if this skill is invoked in broader workflows or with overprivileged credentials.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The delete(cameraSn) operation indicates direct camera or device lifecycle management that is not supported by the stated purpose of anonymized public-place emotion aggregation. In a system integrated with security infrastructure, undocumented device-management functions could be abused to disrupt monitoring, alter deployment state, or pivot from analytics into operational control.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill accepts arbitrary http/https video URLs and forwards them for backend analysis without restricting the source to trusted cameras, approved domains, or pre-registered feeds. In a surveillance/emotion-analysis context, this expands the capability beyond the declared fixed-camera use case and can be abused to analyze unauthorized third-party streams or sensitive remote content, creating privacy, compliance, and misuse risks.

Description-Behavior Mismatch

Low
Confidence
81% confidence
Finding
The skill exposes report listing and export-link generation functionality that goes beyond simple real-time analysis and may reveal historical reports and report image URLs. If upstream API authorization is weak or misconfigured, this broadens data exposure and enables access to aggregated emotion reports that may contain sensitive operational or surveillance-derived information.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script requires `--open-id` and describes it broadly as OpenID/UserId/username/phone number, introducing collection of direct personal identifiers in a skill marketed as privacy-preserving anonymous analysis. In a public-camera emotion-analysis context, tying analysis jobs or history to a phone number or username materially increases re-identification, tracking, and privacy-compliance risk.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The module defines persistent user-account storage with identifiable fields such as username, email, birthday, age, and authentication tokens, which directly conflicts with the skill's stated anonymous group-emotion analytics purpose. This creates unnecessary collection and retention of personal and credential-like data, expanding privacy, compliance, and breach impact well beyond what users would expect from the manifest.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The file performs database initialization, schema creation, and a hard-coded ALTER TABLE write against a user table, which is materially broader than the advertised analytics/reporting behavior. In the context of a skill claiming anonymous public-place emotion analysis, undisclosed local persistence and schema mutation increase the risk of hidden state, privacy overreach, and unexpected data retention.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This utility performs authenticated remote API activity, including implicit account bootstrap and token handling, that goes well beyond the skill’s declared purpose of anonymous public-place emotion aggregation. In this context, hidden backend coupling is dangerous because operators and deployers may believe the system is local/anonymized while the code transmits identifiers and acquires persistent credentials, expanding privacy, compliance, and abuse risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The _get_or_create_user function automatically performs phone-login/registration using a username as both mobile and openId, creating or retrieving accounts without an obvious user approval step. For a skill advertised as anonymized emotion analysis, undisclosed identity-linked account creation is a serious scope violation and can expose operators or subjects to tracking and unauthorized backend enrollment.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The payment/recharge guidance is not directly exploitable by itself, but it indicates undeclared monetization and account dependency embedded in a utility used by this skill. In a security-sensitive analytics product claiming anonymous operation, hidden billing flows increase the likelihood of deceptive UX, social engineering opportunities, and mismatch between promised and actual behavior.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The default trigger activates on essentially any uploaded public-place camera video needing analysis, which is overly broad for a surveillance-oriented skill. Broad auto-invocation increases the chance of processing sensitive footage without clear user intent, especially where biometric-adjacent emotion inference and remote API submission are involved.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The keyword triggers are ambiguous and overlap with normal operational requests such as customer satisfaction or safety warnings, making accidental invocation plausible. In this context, mistaken activation could cause unintended analysis of surveillance video, collection of identifiers, and transmission of sensitive data to backend services.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill does not clearly warn users that uploaded videos and user identifiers may be transmitted to a remote API/cloud service. Given that the content involves public surveillance footage and identity-linked report retrieval, omission of this disclosure prevents informed consent and materially increases privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API requires uploading video files or public video URLs to a remote server, yet the documentation provides no privacy, retention, consent, or data-handling notice. Because the videos may contain faces and potentially sensitive inferred attributes, the absence of data-governance guidance increases the likelihood of unlawful collection, excessive retention, third-party exposure, and unsafe integration practices.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code uploads either local file contents or a remote video URL to an analysis service without any user-facing disclosure, confirmation, or consent check in this file. Because the skill processes public-place video for emotion inference, silent transmission materially increases privacy and legal compliance risk, especially where biometric or behavioral analysis is regulated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code sends user identifiers and authentication material to remote services, including pnaUserName, App-Id, X-Access-Token, X-Api-Key, Authorization, and registration payload fields, without any visible disclosure or consent mechanism in the code path. Because the skill is framed as anonymous crowd-emotion analysis in public places, undisclosed transmission of operator-linked identity and credentials materially raises privacy, governance, and credential-handling risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Fetched tokens and user info are stored locally through the DAO layer without any visible notice, retention policy, or protection guarantees in this file. Persisting reusable authentication artifacts increases the blast radius of local compromise and is especially problematic where the skill markets itself around anonymity and privacy preservation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal