ClawHub

虚拟围栏越界预警技能

Security checks across malware telemetry and agentic risk

Overview

This skill appears to support cloud-based baby safety video analysis, but it bundles mismatched face/health-analysis code and under-discloses account, token, and report storage behavior.

Review before installing. Use it only if you are comfortable sending baby/home-monitoring video or video URLs to the configured cloud service, associating reports with an open-id or phone-like identifier, and storing service tokens locally. Do not rely on it as the only safety control, and ask the publisher to clarify privacy, retention, deletion, and why face/health-analysis modules are bundled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (30)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to read local configuration files to obtain an open-id/API-related value before performing analysis. For a baby-safety video skill, accessing local config files is not obviously required and expands the attack surface to sensitive workspace secrets and identifiers.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README documents a Traditional Chinese Medicine face-analysis and health-diagnosis workflow, while the declared skill is for baby virtual-fence intrusion warning. This mismatch is dangerous because users, reviewers, or automated systems may trust the manifest while the packaged content actually supports a different, privacy-sensitive capability, creating risk of deceptive repurposing, unauthorized data collection, or accidental deployment of the wrong skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The documented API performs face analysis and health/constitution-style diagnosis, which is materially unrelated to the declared baby virtual-fence intrusion warning purpose. This mismatch is dangerous because it suggests hidden or overbroad collection and processing of biometric and inferred health data beyond user expectations, increasing the risk of privacy abuse, deceptive functionality, or repurposing of baby-monitoring video for sensitive analysis.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The response schema includes physiognomy/medical-style outputs such as organ condition, constitution, and health warnings, which are unjustified in a baby safety zone alert skill. In this context, such functionality is especially risky because it introduces sensitive health inference from video/face data without a clear safety need, creating privacy, compliance, and potential harm risks from inaccurate or unauthorized medical-like conclusions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements configuration for a traditional face/health analysis workflow, with endpoints such as '/web/health-analysis' and '/web/ai-analysis', which is materially unrelated to the declared baby virtual-fence intrusion warning skill. That mismatch is dangerous because it indicates the packaged skill may invoke unintended backend capabilities, expand data access beyond the advertised purpose, and undermine trust, consent, and review assumptions for a child-safety context.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation invokes a face-diagnosis workflow (`skill.get_output_analysis`) and presents medical-style analysis, while the declared skill is a baby virtual-fence intrusion warning tool. This mismatch is dangerous because users may trust the advertised infant-safety purpose, but the code appears to process different content and produce unrelated outputs, creating deceptive behavior and a serious safety/functionality gap.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The CLI descriptions and user-facing output explicitly describe a TCM face-diagnosis tool, not an infant danger-zone alert system. In a baby-safety context, misleading operators about what the system does can delay detection of real hazards and cause unsafe reliance on a non-protective feature.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code and user-facing output clearly implement face/health analysis reporting, which materially conflicts with the declared baby virtual-fence intrusion-warning purpose. This kind of skill/manifest mismatch is dangerous because it can mislead users and integrators about what data is processed and what protections the skill actually provides, potentially causing unsafe reliance and unexpected handling of sensitive biometric/health data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The input path logic accepts arbitrary local files or remote video URLs and sends them for generic analysis, but nothing in this flow enforces the claimed baby safety/virtual-fence use case. In context, this mismatch increases risk because operators may believe they are enabling a safety-monitoring control when the skill is actually forwarding unrelated video content for another analysis purpose.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstrings explicitly describe face-diagnosis report listing rather than baby intrusion alerting, reinforcing that the code behavior does not match the declared skill purpose. Misleading internal and external documentation can cause incorrect deployment decisions, privacy misunderstanding, and unsafe operational assumptions.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
This internal documentation describes aggregation of historical face-analysis reports, which is inconsistent with a baby safety alerting skill and indicates potential repurposing of code without proper controls. Such discrepancies can hide sensitive data retention and reporting behaviors that users would not expect from the advertised functionality.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This file exposes generic HTTP GET/POST/PUT/DELETE wrappers that can call arbitrary URLs, which is broader than the declared baby-safety intrusion-warning purpose. In an agent-skill context, such reusable network primitives materially expand the attack surface by enabling unintended outbound requests, data exfiltration, or interaction with unrelated remote services if other components pass attacker-controlled endpoints or payloads.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The add/edit/delete methods provide generic remote modification capabilities without visible scoping to the skill's stated safety-alert function. In a skill that should primarily analyze boundaries and raise alerts, broad CRUD wrappers increase the risk that the component can alter unrelated backend state or be repurposed for unauthorized actions if invoked with untrusted parameters.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This model stores sensitive authentication and profile-like data, including token and open_token, despite the skill's stated purpose being baby safety zone alerting. Collecting and persisting such secrets without clear necessity broadens the attack surface and, if the local SQLite database is accessed, could expose account takeover material and personal data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill includes an agent-chat capability that is unrelated to the declared baby virtual-fence safety purpose, creating an unnecessary expansion of attack surface. Even though command execution is currently stubbed out, the code is structured to invoke an external agent with attacker-controlled prompt content, which could later enable unauthorized data flow, prompt injection into another agent, or unsafe capability escalation if re-enabled.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This utility implements broad authenticated HTTP operations, token management, account lookup/creation, retry logic, and payment-related handling that are not justified by a narrowly described baby-safety virtual-fence skill. In this context, the excess capability increases the attack surface and enables unintended data access or backend actions if reused by the skill or any imported component.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can automatically register or log in users by sending identifiers to a backend and then persist returned tokens, which is unrelated to detecting a baby approaching dangerous areas. That behavior can silently create accounts, bind user identities, and obtain credentials without clear user action, creating privacy and authorization risks.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The helper exposes a generic network request primitive supporting multiple HTTP methods, arbitrary URLs, parameters, headers, and caller-controlled options. Even if intended as reusable infrastructure, this is overbroad for a narrowly scoped baby-safety skill and could be abused to contact unintended services or expand the skill's behavior beyond user expectations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger logic defaults to activating on generic monitoring-video requests and broad fence/intrusion language. Overbroad activation can cause the skill to process videos, save attachments, or contact remote services in situations where the user did not intend this specific workflow, increasing privacy and data-handling risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Automatic history-query activation based on broad natural-language keywords can cause retrieval of stored reports without sufficiently clear user intent or scope. In a child-safety context, those reports may contain sensitive videos, screenshots, timestamps, and identifiers, so accidental disclosure is a real risk.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill description emphasizes safety monitoring but does not clearly warn that uploaded videos, screenshots, timestamps, and user identifiers are sent to a cloud API and retained for later querying. Because the content involves infants in private home spaces, the missing privacy disclosure materially increases the risk of uninformed collection and storage of highly sensitive data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to analyze local or remote face videos via an API and to configure an API URL and key, but it does not clearly warn that biometric/health-related video data may be transmitted to a third-party or self-hosted service. In this context, the data is especially sensitive because it involves facial imagery and inferred health information, so omission of privacy and transmission disclosures can lead to uninformed handling of regulated or highly personal data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API accepts uploaded videos or public video URLs for face analysis but provides no warning or controls regarding biometric and potentially health-sensitive data handling. Given the skill’s child-safety context, this is more dangerous because the inputs may contain infants or household members, making undisclosed collection, transmission, retention, or third-party exposure of video and face data a significant privacy risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tool requires and stores a user identifier (`open-id`) without any visible privacy notice, minimization, or explanation of how it will be used. In a video-analysis context involving potentially sensitive family/baby footage, collecting persistent identifiers without disclosure increases privacy, tracking, and misuse risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The analysis function accepts a local file path or remote URL and passes it into the skill analysis path without any explicit warning that content may be transmitted to an external service. Because the skill context involves likely sensitive video of babies or household interiors, silent off-device processing materially raises privacy and confidentiality concerns.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal