ClawHub

Reptile Shedding Progress Analysis | 爬宠蜕皮进度识别

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches reptile shedding analysis, but it also performs under-disclosed identity, account-login, token storage, and cloud-history behavior that users should review before installing.

Install only if you are comfortable sending reptile enclosure media and an account identifier to the publisher's cloud service, and with the skill storing local authentication tokens for later report access. Prefer a non-PII open-id, avoid phone numbers, verify the external service and dependency list before installation, and remove or review the token database if you uninstall.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The skill documentation extends beyond one-shot visual inference into cloud-backed report management and history retrieval, which introduces persistence and data-access features not central to the stated task. That broadening increases privacy and abuse risk because historical animal/owner data may be queried or correlated unexpectedly. The issue is more concerning here because the workflow normalizes backend record access as part of routine analysis.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The workflow requires collecting an open-id to save and query reports, but that identity-handling function is not disclosed in the high-level manifest purpose. Users may provide identifiers without understanding they are being used for account linkage and persistent cloud retrieval, which undermines informed consent and privacy expectations. In a camera-based pet-monitoring context, tying analysis records to user identity increases sensitivity.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill mandates retrieving open-id from config files or directly from a username/phone number, which is unnecessary for pure image-based shedding analysis and expands into identity handling. Reading identifiers from local config and accepting phone numbers as identifiers creates avoidable privacy exposure and raises the chance of credential/PII misuse. Combined with network calls and local persistence, this becomes a meaningful data-handling risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script exposes a history-list function tied to a user identifier even though the declared skill purpose is only current reptile shedding-phase analysis from images/video. This expands the data access surface to historical records and can enable unauthorized retrieval or profiling of user-associated animal care data if higher-level authorization is weak or absent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The tool requires a broad caller-supplied identifier such as open ID, username, or phone number for a task that should primarily analyze submitted media. Collecting and using overbroad identifiers increases privacy risk and may permit insecure direct object reference behavior if records or analysis results are keyed off attacker-controlled identifiers.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented API is materially inconsistent with the stated skill purpose. Instead of reptile shedding analysis, it describes a generic human-oriented video analysis service with face detection and health diagnosis, which creates a strong risk of data being sent to an unrelated endpoint or a repurposed backend that processes sensitive human data outside user expectations.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The response schema includes human face detection, constitution diagnosis, and organ-condition assessments unrelated to reptile care. In the context of a reptile enclosure monitoring skill, these capabilities suggest hidden scope expansion or backend reuse that could process humans captured by the camera, exposing biometric and inferred health data without clear consent or necessity.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This API wrapper exposes generic page/list/add/edit/delete operations that go beyond the manifest's stated purpose of reptile shedding image analysis. Even though this file alone does not prove unauthorized use, the unnecessary CRUD surface increases the chance of misuse, over-privileged behavior, and accidental access or modification of backend records unrelated to the declared skill function.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The add, edit, and delete methods provide write capabilities that are not justified by the described read/analyze workflow of periodic reptile image assessment. Undocumented mutation operations create an integrity risk because a caller could alter or remove records in the backing system without that behavior being expected from the skill description.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The script accepts arbitrary remote URLs and forwards them to the analysis backend via skill.get_output_analysis without visible allowlisting, scheme restriction, or user-facing warning. In practice, this can expand the trust boundary and enable misuse of the backend for fetching or processing attacker-controlled remote content, which is unnecessary for a fixed-camera reptile-monitoring use case.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This shared config class reads platform/user identity environment variables such as OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, and FEISHU_OPEN_ID even though this file serves a reptile shedding analysis skill. Pulling unrelated identity data into generic configuration increases unnecessary data exposure and can cause accidental propagation of user identifiers across skills or logs. In this skill context, the mismatch between animal-image analysis and human/platform identity handling makes the access less justifiable and therefore more concerning.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The file defines generic user-account persistence with storage for token and open_token values, which is unrelated to reptile shedding image analysis and materially expands the skill's data-handling scope. Unnecessary credential/token storage increases the blast radius of compromise, enables collection of sensitive authentication artifacts, and creates a privacy and secret-management risk without clear business need in this skill context.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility code performs remote account lookup/provisioning, token acquisition, and credential attachment for arbitrary HTTP requests, which is far broader than what a reptile shedding image-analysis skill needs. In this context, the mismatch is dangerous because a seemingly harmless enclosure-monitoring skill can silently interact with external services and establish authenticated identities, expanding data-exfiltration and unauthorized-account-use risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The _get_or_create_user() flow automatically sends username/openId/mobile data to an external health API endpoint and may create or log in a user without clear user initiation. For a reptile shedding analysis skill, this is unjustified cross-domain behavior and increases privacy, compliance, and unauthorized-account-creation risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The utility loads, stores, refreshes, and updates user tokens via DAO/database operations even though token persistence is unrelated to reptile image-phase detection. Persisting authentication material broadens the blast radius of compromise and creates a covert stateful identity layer inside a skill that users would not reasonably expect.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger condition auto-activates the skill for essentially any reptile image/video analysis request, which is broader than necessary for this narrowly scoped shedding function. Overbroad triggering can cause unintended processing, unexpected file saving, and remote uploads of media the user did not intend to send through this workflow. The danger is amplified because the skill also performs identity lookup and backend interactions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill states that uploaded image/video files are automatically saved locally, but the description does not clearly warn users about this persistence behavior up front. Silent or poorly disclosed local storage can expose sensitive media, increase retention risk, and surprise users who expected transient processing only. In conjunction with cloud reporting, this creates a broader-than-expected data footprint.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API accepts direct video uploads and public video URLs but provides no warning or guidance about privacy, sensitive content, retention, or third-party access. Because enclosure cameras can inadvertently capture people, homes, or other sensitive surroundings, this omission increases the risk of unsafe data handling and unintentional disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code reads arbitrary local files from a user-supplied path and transmits their full contents to an external analysis service, but there is no in-code consent, disclosure, or path-scope restriction. In a camera/animal-care skill context, this is more concerning because users may reasonably expect limited processing of enclosure imagery, not unrestricted local file exfiltration to a remote service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill forwards user-provided remote URLs directly to the analysis service without warning or visible safeguards. This can expose sensitive URLs, trigger unintended retrieval of private resources by downstream systems, and broaden data-sharing beyond what users would expect from a reptile shedding analysis workflow.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The CLI requires an open-id and documents that it may be a user ID, username, or phone number, but provides no notice about collection, transmission, retention, or minimization. This creates a privacy and data-handling risk because operators may submit personally identifiable information to a remote analysis service without informed consent or necessity.

Natural-Language Policy Violations

Low
Confidence
83% confidence
Finding
The argument help text explicitly encourages use of a phone number as an identifier, which increases the chance of unnecessary collection of regulated personal data. In the context of a reptile shedding-analysis skill, collecting a direct personal identifier is not obviously needed, so the context makes this more concerning rather than less.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The request helper automatically injects identifiers and authentication headers into outbound requests and may include pnaUserName/tenant metadata without any visible user-facing disclosure. In the context of a reptile care skill, silent transmission of user identity and tokens to remote services is unexpected and can violate privacy expectations and organizational policy.

Missing User Warnings

High
Confidence
99% confidence
Finding
This block sends phone/openId-derived identifiers to an external endpoint for login/registration but provides no visible disclosure, warning, or consent mechanism. Because the advertised skill is animal image analysis rather than account management, the hidden transmission is especially suspicious and materially increases privacy and trust risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists token and openToken values through DAO save/update flows without any visible disclosure to the user. Silent storage of long-lived authentication artifacts is risky because it can enable later unauthorized reuse and is unrelated to the stated reptile shedding workflow.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal