ClawHub

jf-open-pro-device-human-detection

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears purpose-aligned, but it controls live camera human-detection/tracking settings and sends signed device API requests to a configurable endpoint without enough guardrails.

Install only if you operate the target JFTech devices and are comfortable managing surveillance-related settings. Use only official JFTech regional endpoints, keep JF credentials and device tokens private, confirm the device serial/token before running set actions, and consider reading the current configuration before making changes.

SkillSpector (6)

By NVIDIA

Tainted flow: 'url' from os.getenv (line 136, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if channel is not None:
        body["Channel"] = str(channel)
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
95% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 136, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"Detect.HumanDetection": config
    }
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
95% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 136, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if channel is not None:
        body["Channel"] = str(channel)
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
95% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 136, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"Detect.DetectTrack": config
    }
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
95% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill enables human detection, face-related analysis, and tracking features, but the documentation lacks an explicit warning about surveillance, consent, retention, and other privacy implications. These capabilities can affect bystanders and household occupants, and users may enable them without understanding the privacy and compliance consequences. The context makes this more sensitive because the skill is specifically for camera-based detection and tracking, not a generic AI demo.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The examples show commands that immediately enable/disable detection and tracking or change sensitivity/return-time settings, but they do not clearly warn that these are live device configuration changes. A user could unintentionally weaken security monitoring, enable tracking unexpectedly, or alter production camera behavior on the wrong device. The risk is somewhat bounded because the actions target an authenticated device owned by the operator, but the changes are still operationally significant.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal