ClawHub

AB-Agents-Meter-Reader

Security checks across malware telemetry and agentic risk

Overview

This meter-reading skill mostly does what it says, but it needs review because it sends household photos through an external tool and silently looks for credentials in a root OpenClaw file.

Install only if you are comfortable sending selected meter photos to MiniMax, running an unpinned `uvx` MCP package, and storing tenant/address plus utility readings locally in plaintext. Prefer a dedicated low-privilege MiniMax key supplied explicitly by your user account, and avoid photos that include unrelated private household details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation describes persistent local storage of readings history in `~/.meter-readings/history.json`, which implies file read/write behavior, yet no permissions are declared. Undeclared storage capabilities reduce transparency and informed consent, making it easier for users to run a skill that accesses local data without an explicit trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill claims to read meter photos and generate landlord messages, but the documentation also shows collection and storage of tenant names, apartment addresses, and transmission of images to an external vision service. This is a meaningful behavior expansion involving personal data and third-party processing, and users may not reasonably infer those privacy implications from the core description alone.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script's stated purpose is local meter-reading assistance, but it transmits image-related data to an external AI service via an MCP tool without clear disclosure or consent. Even if only the image path is passed in code, the effective behavior is external processing of user-supplied meter photos, which can expose sensitive household information and violates user expectations about local-only handling.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script sources a hidden environment file from /root to obtain API credentials, which is unrelated to ordinary meter-reading functionality and bypasses transparent user credential handling. This creates a trust and privilege-boundary issue: the skill implicitly depends on sensitive root-scoped secrets and may use them without the invoking user's knowledge.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that photos are analyzed using the MiniMax VL API and that readings history is saved locally, but it does not present this as a clear privacy/security warning near the user-facing usage flow. Meter photos, addresses, and usage history can reveal household occupancy and location information, so undisclosed external transmission and retention create avoidable privacy risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The image analysis flow sends prompts and the local image source to an external MCP-connected service without any user-facing warning, consent, or privacy notice. Meter photos can reveal personal and household data, so silent exfiltration to a third party is a real privacy/security issue in this skill context.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Silently loading an API key from a hidden environment file is not by itself credential theft, but it is undisclosed access to sensitive material and undermines transparency. In a user-facing utility, implicit secret consumption can mask external-service usage and make auditing or consent impossible.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal