ClawHub

bozo-jiaodu

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does camera-angle prompt conversion, but it also ships under-declared BizyAir API scripts and a local permission file that can pre-approve shell/API actions.

Review or remove the packaged .claude/settings.local.json before installing. Only set BIZYAIR_API_KEY and run the scripts if you intentionally want BizyAir remote processing, and assume submitted image URLs, prompts, task IDs, output URLs, and account quota will be handled by that third-party service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation includes shell-based operational capabilities, but the manifest does not declare corresponding permissions or clearly scope that behavior. This creates a misleading trust boundary: a user or orchestrator may treat the skill as a harmless prompt formatter while it also instructs execution of scripts and API calls.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This skill is for converting user descriptions into camera-angle prompt text, but the local settings grant shell execution permissions and include a preapproved command that invokes a script with externally hosted input. That expands the skill's capability from text transformation into local command execution, creating an unnecessary attack surface if the script, its arguments, or future invocations are influenced by untrusted input.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest presents the skill as a camera-angle prompt conversion helper, but later documentation expands it into a remote image-processing tool using BizyAir APIs. This mismatch can cause the agent or user to invoke networked side effects and external processing they did not consent to under the original skill description.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill includes credential-dependent network operations and remote processing that are not necessary for simple text prompt conversion. Unnecessary external execution expands the attack surface, may transmit user-supplied images to third parties, and can misuse stored API credentials in contexts where users expected only local text transformation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script requires an external API key and then performs authenticated network operations to create remote image-editing jobs, which goes beyond a local prompt-conversion helper. In this skill context, that means user-supplied image URLs and prompts are transmitted to a third-party service under privileged credentials, creating data exfiltration and scope-creep risk that users may not expect from the manifest.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest describes a prompt-formatting assistant, but the code actually submits image-editing tasks to BizyAir using user inputs and an API token. This mismatch is security-relevant because users and host systems may grant the skill broader trust than warranted, enabling undisclosed external processing of images and prompts.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The header comments explicitly describe remote image angle-adjustment task creation, contradicting the manifest's prompt-conversion-only framing. While comments alone are not exploitable, here they corroborate deceptive or inconsistent capability disclosure, which increases the risk of unauthorized external processing in a misclassified skill.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is described as a camera-angle prompt conversion assistant, but this script polls a third-party image-generation service and returns generated image URLs. That is a materially broader capability than declared, creating an undeclared data flow to an external service and increasing the attack surface for misuse, privacy leakage, and unauthorized remote task management.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script requires an API key and uses it to call BizyAir over the network, despite the skill's stated purpose being local prompt transformation. Hidden or unjustified credentialed network access is dangerous because it can transmit user data off-platform, enable remote operations outside expected scope, and make abuse harder for users and reviewers to detect.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger conditions are so broad that common words like '生成' or generic view-related terms may activate the skill in unrelated contexts. Overbroad activation increases the chance that the wrong skill handles requests, potentially forcing unexpected formatting or steering users toward external processing paths documented later in the file.

External Transmission

Medium
Category
Data Exfiltration
Content
### 直接 API 调用

如果不使用脚本,可以直接使用 curl 调用 API:

**创建任务**:
```bash
Confidence
93% confidence
Finding
curl 调用 API: **创建任务**: ```bash curl -X POST "https://api.bizyair.cn/w/v1/webapp/task/openapi/create" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${BIZYAIR_API_KEY}" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**创建任务**:
```bash
curl -X POST "https://api.bizyair.cn/w/v1/webapp/task/openapi/create" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ${BIZYAIR_API_KEY}" \
  -d '{
Confidence
91% confidence
Finding
https://api.bizyair.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
**查询结果**:
```bash
curl -X GET "https://api.bizyair.cn/w/v1/webapp/task/openapi/outputs?requestId=<requestId>" \
  -H "Authorization: Bearer ${BIZYAIR_API_KEY}"
```
Confidence
90% confidence
Finding
https://api.bizyair.cn/

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal