ClawHub

sjht-data-annotation

Security checks across malware telemetry and agentic risk

Overview

This is a plausible data-annotation skill, but its web API and deployment instructions can expose private files and allow overly broad file writes.

Install or use this only in a controlled environment. Do not expose it through nginx or point it at private datasets unless you add authentication, remove wildcard CORS and autoindex, restrict API reads/writes to a dedicated data directory, and avoid running it as root or changing /root permissions. Confirm any third-party model upload is acceptable for the data being labeled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill includes nginx configuration changes, service restarts, process management, and filesystem permission changes, which exceed normal annotation behavior. These actions can disrupt existing services, weaken host security, and turn a data-processing skill into a system-administration tool with much larger blast radius.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The root listing endpoint accepts a user-controlled `dir` and `results` parameter, then enumerates that directory and loads the specified annotation file without constraining either path to `DATA_DIR`. This breaks the documented trust boundary and enables arbitrary directory listing and reading/parsing of attacker-chosen files on the host, which is especially dangerous because the service exposes local filesystem metadata and contents to any local caller.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The POST `save` action accepts an arbitrary `file` path and writes JSONL output there after creating parent directories, with no validation that the destination is under `DATA_DIR`. This gives callers arbitrary file write capability as the service user, which can overwrite application files, drop files into sensitive locations, or poison configuration and data used by other processes.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The GET `/` handler lets the caller supply any `dir` to recursively enumerate files and any `results` file to read and parse, without limiting those paths to the annotation workspace. Even though `/file` later enforces `DATA_DIR`, this endpoint already leaks arbitrary filesystem structure and selected file contents/records, exceeding the stated purpose of a data-annotation tool.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match many ordinary data-processing requests, increasing the probability that the skill is invoked in contexts where its file, network, and deployment instructions are unnecessary or unsafe. Overbroad activation is dangerous because it can expose users' data to external APIs or induce system changes under a generic-sounding request.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill explicitly directs sending image or other content to third-party model APIs but does not require an explicit warning or consent flow about external data transmission. In an annotation context, datasets may contain confidential, regulated, or personal information, so silent upload to outside providers can cause serious privacy and compliance violations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill includes commands that modify nginx configuration, kill processes, change filesystem permissions, and restart services, without requiring a warning about service interruption or host-level changes. In shared or production systems, these actions can cause outages, expose data, or interfere with unrelated applications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This is not merely a UX issue: because the save operation writes to an attacker-controlled path without meaningful restriction, the missing confirmation coincides with a real arbitrary-file-write primitive. In a local HTTP service with permissive CORS, that can be triggered unintentionally by a user-facing client or abused by other local software to alter host files.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is configured for automatic activation on very broad keywords like 'annotation', 'label', and 'data processing', which can match many unrelated user requests. This increases the chance of unintended invocation, causing inappropriate access to user context or routing users into a data-labeling workflow they did not explicitly request.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal