ClawHub

Fish Flashing & Scraping Detection (Ectoparasite Warning) | 爬宠体温调节行为识别(晒点/躲避)

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent reptile video-analysis purpose, but it also uses under-disclosed account, token, cloud history, and install behaviors that users should review before installing.

Install only if you trust the publisher and are comfortable sending reptile enclosure videos, public video URLs, user identifiers, tenant metadata, and report-history queries to the LifeEmergence/SMYX cloud services. Before use, replace the bad yaml dependency with the intended package, avoid putting API keys where open-id is expected, and treat locally cached tokens in the workspace database as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to obtain an 'open-id' by reading an 'api-key' from configuration files, effectively repurposing a secret credential as a user identifier. This is dangerous because it encourages unauthorized secret access and credential misuse, potentially exposing API keys or binding actions to the wrong identity.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The instructions say the skill must not infer or generate an open-id, yet they direct it to read an api-key from config and use that as open-id. This contradiction increases the chance of unsafe implementations, identity confusion, and accidental credential exfiltration because a sensitive secret is being substituted for a user-scoped identifier.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script exposes account-scoped history access through the required --open-id and --list flow even though the skill is presented as a single-purpose reptile behavior analyzer. That mismatch increases the chance of insecure direct object reference or privacy leakage if callers can supply arbitrary identifiers and retrieve another user's historical reports without strong authorization checks elsewhere.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The API documentation describes capabilities unrelated to reptile thermoregulation, including face detection and human health/constitution diagnosis. This mismatch is dangerous because it suggests the skill may route user-provided video to a different backend or a repurposed service, creating undisclosed data use, scope expansion, and possible collection of sensitive biometric or health-related information.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
Supporting arbitrary public video URLs expands the skill beyond its stated fixed-enclosure camera scope and can enable analysis of unrelated third-party videos. This increases the risk of unauthorized processing, abuse of the service for general-purpose surveillance or scraping workflows, and bypass of expected source restrictions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill accepts arbitrary HTTP(S) video URLs and forwards them to the backend analysis service, which expands the trust boundary beyond local fixed-camera footage described by the skill. If the downstream service fetches the URL server-side, this can enable misuse such as analyzing unintended third-party content, triggering backend requests to attacker-controlled endpoints, or creating SSRF-like exposure depending on the service implementation.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill exposes a report/history listing function that is broader than the stated purpose of single-video reptile behavior analysis. Without clear authorization checks in this code path, listing prior analysis records can leak sensitive historical data, metadata, or report URLs to users who should only access the current analysis result.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The file defines a reusable DAO and a User model with account-oriented fields including username, email, token, and open_token, which materially exceeds the manifest's reptile-behavior analytics scope. This scope mismatch is dangerous because it introduces undisclosed identity and credential storage capabilities that may collect or retain sensitive data users did not expect this skill to handle.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The module automatically creates a local SQLite database, initializes tables, and performs schema migration behavior even though the manifest describes analytics/reporting rather than local persistent storage internals. Hidden persistence increases data-retention and transparency risk, especially in a video-monitoring context where users may not expect silent local state creation.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The User schema includes token and open_token fields, creating a credential-storage capability that has no clear justification for reptile thermoregulation analysis. Storing tokens in a local SQLite database can expose sensitive authentication material to local compromise, backup leakage, or unintended reuse across unrelated functions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This shared utility goes well beyond reptile video analysis and implements generic outbound HTTP access, token injection, account lookup/creation, and retry logic for authenticated platform calls. In the context of a narrowly scoped pet-behavior skill, this creates unnecessary capability to transmit data and operate on remote accounts, increasing the attack surface and enabling misuse if other code calls these helpers with attacker-controlled inputs.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The helper can silently call /sys/phoneLogin with a username/mobile/openId, create or log in an account, retrieve tokens, and persist them locally through the DAO layer. For a reptile enclosure analytics skill, this is unjustified privileged behavior that could create accounts or bind identities without informed user action.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The HTTP wrapper exposes generic methods for GET/POST/PUT/DELETE and accepts arbitrary URLs, parameters, headers, and options, effectively providing a broad exfiltration and remote-action primitive. Even if intended as reusable infrastructure, this is overbroad relative to the stated skill purpose and makes downstream abuse easier.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The default trigger activates whenever a user provides a reptile video for analysis, which is broad enough to cause the skill to run in contexts where the user did not specifically request this remote workflow. Overbroad triggering can lead to unintended file handling, remote submission, and processing of sensitive media without sufficiently explicit intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The history-query feature uses loose keyword matching and automatically triggers cloud retrieval of prior reports. Without tighter scoping, this can cause unintended access to remote records associated with a user identifier, creating privacy and authorization risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill says uploaded videos will be automatically saved locally, but this is not prominently disclosed in the main description or paired with user consent. Local persistence of media from inside enclosures can create privacy, retention, and sensitive-data handling issues, especially if users assume transient processing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill requires cloud history lookup using open-id and remote API calls, but it does not prominently warn users that identifiers and report queries are sent off-device. This lack of disclosure undermines informed consent and may expose usage history and linked account data to external services unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to upload videos or submit public video URLs without any warning about data transmission, retention, or privacy implications. Because video may contain people, homes, or other sensitive context—and this document also suggests unrelated face-processing capability—the lack of notice materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads the entire local file and uploads it to the analysis service, but there is no user-facing notice, consent step, or minimization visible here. For camera footage, this may include sensitive environmental or household imagery, so silent exfiltration to a remote service creates a privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The utility automatically adds pnaUserName, tenantCode, skill metadata, App-Id, X-Access-Token, X-Api-Key, and Authorization headers to outbound requests without any visible non-debug disclosure or consent mechanism in this file. That means identity, tenant, and authentication context may be transmitted to remote services in a way users would not reasonably expect from a reptile behavior monitoring skill.

Missing User Warnings

High
Confidence
99% confidence
Finding
The _get_or_create_user helper silently performs a remote phoneLogin/register flow using username/mobile/openId and a source tag, with no explicit warning in the code path. Hidden identity provisioning is especially risky here because the skill's declared purpose is animal behavior analytics, not user account management.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal