ClawHub

人员离岗实时监测技能

Security checks across malware telemetry and agentic risk

Overview

The skill does perform staff absence video analysis, but it also has under-disclosed cloud upload, identity/token persistence, broad URL ingestion, and leftover health/face-analysis artifacts that need review before use.

Use this only in an organization that has approved workplace video monitoring and cloud processing. Before installing, confirm employee/visitor consent, provider retention and security terms, report-link access controls, and whether health/face-analysis code paths are truly inactive. Use a dedicated scoped account or API key, avoid third-party or internal/private URLs, and treat the local workspace database as sensitive because it may contain tokens and user profile data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to retrieve an open-id or API key from local configuration files before asking the user. Pulling credentials from workspace files for a media-analysis task is unnecessary from the user's perspective and can cause unintended secret access or cross-skill credential reuse.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented API behavior materially contradicts the stated purpose of a staff absence detection skill. Instead of returning occupancy/absence results, it exposes face detection and health/constitution diagnosis outputs, which indicates significant scope expansion into biometric and inferred health processing without clear justification, creating privacy, compliance, and misuse risks.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The response format explicitly includes face detection and health-diagnosis style results such as organ condition, complexion analysis, and health warnings. For a workplace staff absence monitoring skill, this represents unjustified collection and inference of highly sensitive biometric and health-related data, which could enable surveillance overreach and trigger serious regulatory violations.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Allowing arbitrary public video URLs broadens the skill from controlled workplace monitoring into general-purpose remote video analysis. In the context of a skill already showing scope drift into facial and health analysis, this makes misuse more plausible by enabling analysis of third-party videos without clear authorization or provenance controls.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill accepts arbitrary HTTP(S) video URLs and forwards them to the backend analysis service without any visible allowlist, scope restriction, or user-safety guard. In a skill advertised for monitoring specific on-duty areas, this expands capability into general remote video ingestion, which can enable unintended surveillance, analysis of third-party content, or backend abuse against internal or sensitive URLs if the downstream service fetches them.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill exposes report-listing and report-image export features that are not described in the manifest, increasing the effective data-access surface beyond the declared purpose of absence detection. Undocumented access paths to prior reports and export URLs can leak sensitive monitoring outputs, especially if higher-level policy, review, or user expectations were based only on the manifest.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file implements persistent user/account storage including usernames, email, birthday, sex, age, and tokens, which is materially broader than the declared staff-absence detection function. In a computer-vision monitoring skill, collecting and retaining unrelated account and token data expands the attack surface and privacy exposure, especially if these records are accessible to other components or stored without clear necessity.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The utility layer silently provisions or logs in users through `/sys/phoneLogin`, retrieves tokens, and persists them via DAO storage. For a staff-absence detection skill, this is unrelated privilege/account handling and creates a hidden identity and credential management path that could enable unauthorized account creation, token reuse, or lateral access if the local store is exposed.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
On HTTP 402, the code injects instructions to install a payment skill and recharge an account, which is behavior outside the declared monitoring function. This cross-skill upsell/workflow injection is risky because it can socially engineer operators into installing unrelated capabilities and expands the attack surface beyond the intended skill boundary.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The auto-trigger phrases for historical report lookup are broad enough to activate cloud-backed report retrieval on ambiguous user requests. In this skill context, that could cause unintended access to monitoring history and associated identifiers, especially because the skill also saves media locally and queries remote APIs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that uploaded attachments or media are automatically saved as local files, but does not provide a clear user-facing warning or retention explanation. For surveillance footage and workplace images, silent local persistence materially increases privacy and data handling risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill requires cloud/API-based retrieval of historical reports and uses open-id-linked operations, but does not clearly warn users that monitoring data, identifiers, and possibly report links will be transmitted to remote services. In a workplace surveillance context, this omission can expose sensitive personnel and operational data without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly states that media files and an `open_id` are sent to a cloud API for analysis, but it provides no privacy notice, consent guidance, retention details, or data-sharing limitations. Because this skill monitors employee presence in workplaces, the transmitted content may contain sensitive employee imagery and behavioral data, making undisclosed cloud processing a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API accepts uploaded videos and public video URLs for analysis but provides no warning or handling guidance for privacy-sensitive content, despite the documented outputs involving faces and health-like inferences. This omission increases the likelihood of users submitting regulated personal data without informed consent, retention controls, or security expectations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
For local paths, the code reads the entire file and sends its contents to the analysis API, but this code provides no user-facing notice, confirmation, or data-handling disclosure. In a surveillance-oriented skill that may process sensitive workplace footage, silent upload of local media creates privacy and compliance risk because operators may not realize files are being transmitted off-host.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The request path transmits usernames, open IDs, API keys, access tokens, authorization tokens, and tenant/user metadata to remote services without any visible consent, minimization, or disclosure controls in this code. In a personnel-monitoring context, hidden transfer of identity and auth data is especially sensitive because the skill already operates in a workplace surveillance setting and may involve privileged organizational accounts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code saves and updates user tokens in local DAO-backed storage without any visible user notice or indication of encryption/protection. Persisted bearer tokens materially increase compromise impact because anyone with database access may be able to impersonate users or call upstream APIs as them.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal