ClawHub

EmoPAD Universe

Security checks across malware telemetry and agentic risk

Overview

This emotion-monitoring skill is mostly purpose-aligned, but it auto-starts sensitive background monitoring and uses broad local process control that users should review before installing.

Install only if you are comfortable with a background emotion-monitoring service starting immediately, installing Python packages, reading local sensors, exposing emotion status on localhost port 8766, and opening periodic image windows. Review how to stop it first, and prefer a controlled environment until package pinning, local API access control, GUI session handling, and broad process-kill behavior are improved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (28)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""关闭所有 nebula 和 eog 进程"""
    # 杀死所有 nebula.py 进程
    try:
        subprocess.run(['pkill', '-9', '-f', 'python3.*nebula.py'], 
                      capture_output=True, timeout=2)
    except:
        pass
Confidence
89% confidence
Finding
subprocess.run(['pkill', '-9', '-f', 'python3.*nebula.py'], capture_output=True, timeout=2)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 杀死所有 eog 进程(显示 nebula 图片的)
    try:
        subprocess.run(['pkill', '-9', '-f', 'eog.*nebula_latest'], 
                      capture_output=True, timeout=2)
    except:
        pass
Confidence
91% confidence
Finding
subprocess.run(['pkill', '-9', '-f', 'eog.*nebula_latest'], capture_output=True, timeout=2)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if os.path.exists(install_script):
        print("正在检查并安装依赖...")
        result = subprocess.run([sys.executable, install_script])
        return result.returncode == 0
    return False
Confidence
84% confidence
Finding
result = subprocess.run([sys.executable, install_script])

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
f.write(response.content)
            print(f"✅ 情绪星云图已保存: {output_path}")
            # 自动打开图片
            os.system(f"xdg-open {output_path} &")
            return 0
        else:
            print(f"生成截图失败: HTTP {response.status_code}")
Confidence
95% confidence
Finding
os.system(f"xdg-open {output_path} &")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def install_package(package):
    print(f"正在安装 {package}...")
    try:
        subprocess.check_call([sys.executable, '-m', 'pip', 'install', package, '-q'])
        print(f"✅ {package} 安装成功")
        return True
    except subprocess.CalledProcessError as e:
Confidence
96% confidence
Finding
subprocess.check_call([sys.executable, '-m', 'pip', 'install', package, '-q'])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env['DISPLAY'] = ':1'
        env['XAUTHORITY'] = '/run/user/1000/gdm/Xauthority'
        
        subprocess.Popen(
            [sys.executable, nebula_script],
            env=env,
            stdout=subprocess.DEVNULL,
Confidence
91% confidence
Finding
subprocess.Popen( [sys.executable, nebula_script], env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, start_new_session=

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("🧹 清理旧进程...")
    if SYSTEM == 'Linux':
        try:
            subprocess.run(['pkill', '-9', '-f', 'python3.*nebula.py'], 
                          capture_output=True, timeout=2)
            subprocess.run(['pkill', '-9', '-f', 'eog.*nebula_latest'], 
                          capture_output=True, timeout=2)
Confidence
95% confidence
Finding
subprocess.run(['pkill', '-9', '-f', 'python3.*nebula.py'], capture_output=True, timeout=2)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            subprocess.run(['pkill', '-9', '-f', 'python3.*nebula.py'], 
                          capture_output=True, timeout=2)
            subprocess.run(['pkill', '-9', '-f', 'eog.*nebula_latest'], 
                          capture_output=True, timeout=2)
        except:
            pass
Confidence
94% confidence
Finding
subprocess.run(['pkill', '-9', '-f', 'eog.*nebula_latest'], capture_output=True, timeout=2)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
    elif SYSTEM == 'Windows':
        try:
            subprocess.run(['taskkill', '/F', '/IM', 'python.exe', '/FI', 'WINDOWTITLE eq nebula.py'],
                          capture_output=True)
        except:
            pass
Confidence
89% confidence
Finding
subprocess.run(['taskkill', '/F', '/IM', 'python.exe', '/FI', 'WINDOWTITLE eq nebula.py'], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
install_script = os.path.join(script_dir, 'install.py')
    
    if os.path.exists(install_script):
        subprocess.check_call([sys.executable, install_script])
        return True
    return False
Confidence
91% confidence
Finding
subprocess.check_call([sys.executable, install_script])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cli_script = os.path.join(script_dir, 'emopad_cli.py')
    
    if os.path.exists(cli_script):
        subprocess.check_call([sys.executable, cli_script, 'start'])
        return True
    return False
Confidence
87% confidence
Finding
subprocess.check_call([sys.executable, cli_script, 'start'])

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises substantial capabilities including shell, file, network, and environment access while declaring no permissions, preventing informed user consent and meaningful policy enforcement. In this context, the skill auto-installs dependencies, starts services, interacts with hardware, and writes local state, so undeclared capabilities materially increase risk of covert persistence, data exposure, or unexpected system changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior omits security-relevant actions such as exposing local HTTP endpoints, persisting device identifiers and runtime artifacts under the user's home directory, and altering display-related environment variables before launching external viewers. These hidden behaviors are dangerous because users and reviewers cannot accurately assess attack surface, privacy impact, or persistence characteristics, especially for a skill handling sensitive biosensor-derived emotional state data.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The snapshot command's stated purpose is to generate and save an image, but it also launches a local viewer. This extra capability increases attack surface and user surprise, particularly in a skill that already auto-starts services and UI components.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The code claims to stop nebula-related image display, but actually kills all matching eog processes system-wide. This mismatch between stated behavior and real behavior is dangerous because it hides a broader destructive capability from users and reviewers.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code copies the entire environment into a background process and adds display/auth variables, which may unintentionally propagate credentials, API tokens, proxies, or other sensitive session state unrelated to emotion monitoring. If the child process or one of its dependencies is compromised, inherited environment secrets become immediately accessible.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that installation will automatically start a localhost service and a background process that generates and sends emotion reports every 5 minutes, but it does not provide clear consent, privacy disclosure, data destination details, retention information, or an opt-in step. In the context of biosignal and emotion-monitoring data, silent auto-start and periodic reporting materially increase privacy and surveillance risk even if the service only binds to 127.0.0.1.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Automatically starting a local service and recurring popup monitoring on installation can surprise users and creates persistence-like behavior without a strong, explicit warning or opt-in. Because this skill processes biosensor inputs continuously, silent auto-start increases privacy and usability risk and may normalize background monitoring the user did not fully intend.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description does not clearly foreground that the skill performs continuous real-time emotion monitoring and repeated sensor-data-driven reporting, which is sensitive behavioral/biometric processing. Insufficient notice undermines informed consent and can expose users to unexpected privacy harms, especially when emotional-state inference is derived continuously from EEG, PPG, and GSR signals.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The service exposes highly privacy-sensitive inferred emotional state and modality validity over an HTTP API without any authentication, authorization, consent flow, or in-code disclosure of the sensitivity of the data. Even though it binds to 127.0.0.1, local processes, malware, browser-based localhost attacks, or other same-host users can query /pad, /history, and /snapshot to extract intimate physiological inferences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The command writes a file to disk and immediately launches it with no warning or consent beyond a success message. Silent file creation plus automatic opening is risky UX/security behavior because it can trigger unexpected application launches and persists data in the user's profile.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer performs network package installation and automatically starts persistent/background components with no consent step. For a skill handling local hardware and services, this behavior increases risk because users may unknowingly grant code execution, service exposure, and recurring UI activity during installation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script deletes PID state and forcefully terminates matching processes without prior warning, which can disrupt legitimate activity and mask operational errors. In an installer, destructive cleanup behavior is especially risky because users do not expect installation to kill processes on their machine.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly advertises continuous real-time emotion monitoring and periodic generation/sending of emotion-related output, but provides no privacy notice, consent flow, retention policy, or destination for transmitted data. Because this skill processes highly sensitive biometric and inferred emotional data, omission of user-facing disclosure materially increases the risk of covert surveillance, unexpected data sharing, and non-consensual collection.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script periodically pulls sensitive emotion/PAD status and image snapshots from a local service and displays them automatically every 5 minutes, without any consent, notice, authentication, or access-control checks in this file. In the context of a biometrics/emotion-monitoring skill that auto-starts and handles EEG/PPG/GSR-derived data, this increases privacy risk because highly sensitive inferred mental-state information may be collected and exposed on-screen to nearby observers or other local actors.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal