ClawHub

neodomain-ai

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Neodomain media-generation integration, but it handles cloud uploads and access tokens in ways users should treat carefully.

Install only if you trust Neodomain with your prompts, reference media URLs, uploaded local storyboard/media files, generated outputs, and phone or email login flow. Prefer a temporary or protected token store instead of adding the token to shared shell startup files, do not paste token output into logs, and only upload files you intentionally want sent to the cloud service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes environment variables, writes output files, and performs network operations, but it does not declare corresponding permissions. That creates a trust and sandboxing gap: operators may approve the skill under incomplete assumptions while it still handles tokens, downloads/uploads media, and writes artifacts locally. In this context, the undeclared network and file capabilities are especially relevant because the skill authenticates to a third-party service and saves generated content and metadata to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is media generation, but the skill also appears to perform authentication, token acquisition, model enumeration, arbitrary local-file uploads to cloud storage, storyboard batch processing, and report generation. This broader behavior materially changes the risk profile: a user invoking a content-generation skill may not expect credential collection workflows or file exfiltration/upload paths. In a skill that already has network and file access, this mismatch can conceal sensitive actions and undermine informed consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This skill includes account authentication and token-retrieval functionality even though the declared skill purpose is image/video generation. That expands the skill's capability into credential acquisition, which is security-sensitive and increases the risk of misuse, especially in agent contexts where users may not expect a generation skill to handle login flows.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script prints the access token and even a ready-to-paste shell export command directly to stdout. Tokens shown in console output can be captured by terminal history, logs, CI systems, agent transcripts, or other observers, resulting in credential theft and account compromise.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This script implements a generic file-upload capability to Alibaba OSS, which is broader than the advertised image/video generation functionality. In an agent-skill context, mismatches between declared purpose and actual capability are dangerous because they can enable covert exfiltration of arbitrary local files under the guise of media generation support.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The function accepts an arbitrary local file path, opens the file, and uploads its contents to remote object storage, creating a direct path for sensitive local data to leave the host. In the context of an agent skill, this is particularly risky because a user may invoke the skill for content generation without realizing it can read and transmit unrelated local files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide tells users to append a long-lived access token to shell startup files, which increases the chance of credential exposure through backups, dotfile syncing, shared accounts, shell-history mistakes, and accidental disclosure. While this is common operational guidance, presenting it without a warning about credential sensitivity or safer storage options is a real security weakness in installation documentation.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script sends contact information to an external service to request a verification code, but provides no clear user-facing disclosure that sensitive personal data is being transmitted. In an agent skill, this matters more because users may not realize their phone number or email is being sent to a third-party domain.

Missing User Warnings

High
Confidence
99% confidence
Finding
Printing the access token directly to stdout exposes a highly sensitive credential without any warning or masking. In agent or hosted environments, stdout is often logged, persisted, or visible to other components, making credential leakage likely and potentially leading to unauthorized API use or account takeover.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends user-supplied image/video URLs and an access token to a remote third-party endpoint without any explicit warning or consent flow. This can expose private media locations, bearer credentials, and associated metadata to an external service, which is especially relevant in an agent-skill context where users may not expect network transmission.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script uploads file contents to a remote OSS endpoint and only prints a generic 'Uploading' message, without clearly warning that local data will be transmitted to external storage or identifying the destination in advance. This weak transparency increases the chance of inadvertent data disclosure, especially in automated or agent-driven environments.

Credential Access

High
Category
Privilege Escalation
Content
result = login(args.contact, args.code, args.invitation_code)
        print("\n✅ Login successful!")
        print(f"\nAccess Token:")
        print(result.get("authorization"))
        print(f"\nUser Info:")
        print(f"  User ID: {result.get('userId')}")
Confidence
99% confidence
Finding
Access Token

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal