ClawHub

jf-open-pro-device-osd

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for JF camera OSD configuration, but it needs review because it can change camera settings with sensitive credentials and does not tightly bound where those signed requests go.

Install only if you trust the publisher and need to administer JF camera OSD settings. Keep JF_ENDPOINT on an official JF regional host, protect the JF app secret and device token, and manually confirm the target device, channel, and current configuration before running any set operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Tainted flow: 'url' from os.getenv (line 91, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if channel is not None:
        body["Channel"] = str(channel)
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
91% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tainted flow: 'url' from os.getenv (line 91, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if channel is not None:
        body["Channel"] = str(channel)
    
    response = requests.post(url, headers=headers, json=body, timeout=30)
    result = response.json()
    
    if result.get("code") != 2000:
Confidence
91% confidence
Finding
response = requests.post(url, headers=headers, json=body, timeout=30)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill description and examples overstate supported actions and do not accurately match the exposed behavior, which can mislead users or an orchestrating agent into believing additional operations are available or safe. Combined with remote configuration capability and custom signing logic, this mismatch reduces operator visibility into what the skill actually changes and increases the risk of unintended device configuration changes or unsafe automation assumptions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad and ambiguous, making accidental invocation more likely during ordinary conversations about device settings or video overlays. Because the skill can issue remote configuration changes to live devices, weak trigger boundaries create a real prompt-safety risk of unintended state changes without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Short phrases like '隐私区域' or '视频水印' are especially susceptible to accidental matching because they lack an action verb, scope, and exclusion conditions. In a skill that can modify display overlays and privacy masking, this ambiguity can cause unintended configuration writes or agent misrouting of sensitive device-management requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples show how to change live OSD and privacy-region settings but omit explicit warnings that these actions can alter surveillance evidence overlays, obscure parts of the video feed, or affect monitoring and recording behavior. In a security-camera context, missing warnings materially increases the chance of unsafe or noncompliant changes being made without informed user consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal