ClawHub

claw2immich

Security checks across malware telemetry and agentic risk

Overview

This Immich photo skill is not malicious, but it deserves Review because it can expose private photos through broad Immich MCP access and unauthenticated shared links.

Install only if you trust the claw2immich MCP server and are comfortable giving an agent access to your Immich library. Prefer a read-only Immich profile or tool allowlist, use a trusted local or TLS-protected MCP endpoint, and require explicit user approval before creating or sending unauthenticated photo links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation includes executable shell commands (`mcporter call ...`) but the manifest does not declare corresponding permissions or capabilities. This creates a transparency and trust problem: users may invoke shell-capable workflows without the skill clearly disclosing that operational requirement, increasing the chance of unintended command execution in agent environments.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a photo search/download helper, but the documentation states that 249 tools from the full Immich OpenAPI spec are available, which can include write, delete, and administrative operations. This mismatch can cause operators or downstream agents to grant or use much broader authority than expected, violating least privilege and enabling destructive or privacy-impacting actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The access profile section explicitly advertises `read_write` and `full_scope` modes, including admin access, even though the skill’s stated purpose is browsing and downloading photos. In this context, hidden or underemphasized elevation paths are dangerous because a user may install a seemingly read-oriented skill that can later modify or delete library contents or perform administrative actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README encourages natural-language searching, URL construction, and optional downloading of personal photos but does not warn that this skill enables access to privacy-sensitive media and metadata. In the context of a photo library, that omission can lead users or downstream agents to over-trust the capability, increasing the risk of exposing private images, locations, relationships, and shareable asset links.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill promotes downloading assets through shared links and notes that they are accessible without authentication, but it does not warn that these links expose private photos to anyone possessing the URL during the validity window. In a personal photo library context, this is especially sensitive because assets may contain faces, locations, and other private metadata, so unauthenticated sharing materially increases privacy and data leakage risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation instructs users to send unauthenticated shared links directly to others with no user-facing warning or confirmation step. This encourages unsafe sharing of potentially sensitive personal media and can lead to unintended disclosure if a link is pasted into the wrong chat, forwarded, or logged by third-party systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints `.originalPath` for the most recent matching photo directly to stdout, which exposes full filesystem layout information to whoever runs or captures the script output. Even though this is an example utility for photo search, revealing absolute or internal storage paths can leak sensitive host details, usernames, mount points, or storage organization that may aid further reconnaissance or unintentionally disclose private infrastructure details.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal