ClawHub

mar-computer-vision-expert

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only computer vision skill whose external API example is disclosed and aligned with its stated purpose.

Install is reasonable for an instruction-only advisor. Before using the VLM example, confirm that the selected image may be sent to SkillBoss, avoid sensitive or regulated visuals unless provider terms allow it, and keep the API key protected, scoped, and out of logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly recommends sending image inputs to a third-party API endpoint but does not warn users that visual data may leave their environment. Images can contain sensitive personal, proprietary, or location data, so omission of a disclosure and consent step creates a real privacy and data-governance risk.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The example pulls an API key from an environment variable without any caution about protecting secrets, least-privilege use, or avoiding accidental exposure in logs and shared environments. This is a weaker issue than direct exfiltration, but it still normalizes unsafe credential handling guidance in a reusable skill.

External Transmission

Medium
Category
Data Exfiltration
Content
API_BASE = "https://api.heybossai.com/v1"

def pilot(body: dict) -> dict:
    r = requests.post(
        f"{API_BASE}/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
95% confidence
Finding
requests.post( f"{API_BASE}/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
- **Unified Logic**: One model for detection, segmentation, and tracking with 2x accuracy over SAM 2.

### 3. Vision Language Models (VLMs)
- **Visual Grounding**: Leveraging VLMs (e.g., Florence-2, PaliGemma 2, Qwen2-VL) via SkillBoss API Hub (`type: chat` with vision inputs) for semantic scene understanding. All VLM calls are automatically routed to the best available model through `https://api.heybossai.com/v1/pilot`.
- **Visual Question Answering (VQA)**: Extracting structured data from visual inputs through conversational reasoning, powered by SkillBoss API Hub's unified `chat` capability.

### 4. Geometry & Reconstruction
Confidence
90% confidence
Finding
https://api.heybossai.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal