ClawHub

Photo Guide

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a photography helper, but it under-discloses sensitive photo metadata handling and includes environment-changing dependency installation despite claiming read-only behavior.

Review before installing. Use it only in a sandbox or environment where package installation is acceptable, and avoid uploading personal photos with location metadata unless you are comfortable with the agent reading those fields. The artifacts do not show exfiltration or destructive behavior, but the read-only/privacy claims should be tightened before this is treated as low-risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to run `pip install -r requirements.txt` at analysis time, which changes the local environment and executes package installation based on repository-controlled inputs. Even for a photography skill, dynamic dependency installation is unnecessary in the default workflow and creates supply-chain and environment-integrity risk if requirements are malicious, compromised, or unexpectedly broad.

Scope Creep

High
Confidence
95% confidence
Finding
The manifest declares only `Bash` and `Read`, but the documented workflow uses Bash to perform package installation, effectively expanding behavior beyond a read-only analysis skill into environment modification. This mismatch is dangerous because reviewers or operators may trust the declared scope while the instructions actually authorize state-changing actions with supply-chain implications.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The safety section claims the skill only reads user files and does not write or modify anything, but earlier instructions install Python packages, which alters the system environment. This false assurance increases risk because users and agents may rely on the privacy/safety claims and consent to execution under a mistaken belief that the skill is non-mutating and offline-safe.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script returns GPS metadata from images even though the skill’s stated purpose is photography guidance such as style analysis, shooting parameters, and post-processing advice. GPS EXIF data can reveal precise location history and other sensitive contextual information, so collecting and exposing it without a clear need violates data minimization and increases privacy risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that uploaded photos will have EXIF metadata extracted, but it does not warn users that EXIF can contain sensitive data such as GPS coordinates, device identifiers, timestamps, and other privacy-relevant information. In a photo-analysis skill, users are likely to upload personal images, so silent metadata processing increases the risk of unintended privacy exposure or over-collection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code exposes GPS metadata to downstream consumers without any warning, disclosure, or consent flow. In the context of a photo-guidance skill, users may upload personal photos expecting analysis of visual or camera settings, not disclosure of embedded location data that could identify home addresses, travel patterns, or other sensitive places.

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=9.0.0
Confidence
94% confidence
Finding
Pillow>=9.0.0

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
Pillow

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal