ClawHub

Tencent MPS

Security checks across malware telemetry and agentic risk

Overview

The skill is largely a Tencent MPS helper, but its preview/local-only claims are unreliable and some commands can upload local media or use cloud credentials when users would expect no side effects.

Install only if you are comfortable giving this skill Tencent Cloud MPS/COS credentials and letting it upload local media to your COS bucket. Treat --dry-run as unsafe for private local files until fixed, avoid using local-file inputs unless you intend remote upload, use least-privilege temporary credentials where possible, and review generated commands before confirming billed processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (45)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation says the tool is purely local, does not call MPS API, and does not incur any fees, but elsewhere indicates local files may be auto-uploaded to COS to generate links. That contradiction can mislead users into disclosing local media or triggering network/storage charges under false assumptions, which is a real security and trust issue even if it is not direct code execution.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The fee-free/local-only safety claim is undermined by guidance implying COS upload or other network use for local files. Users relying on the documentation may unintentionally transfer sensitive media off-host or incur cloud costs, making this a meaningful documentation-driven security/privacy vulnerability.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script advertises dry-run as not making real calls, but `run()` loads cloud credentials and initializes the MPS client before the dry-run check. Even if this does not always send a network request immediately, it still accesses sensitive credentials and violates the safety expectation of a no-side-effects mode, which can surprise users and increase exposure in restricted environments.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
`build_create_params()` uploads local files to COS as part of parameter construction, and `run()` invokes that before honoring `--dry-run`. This means a mode explicitly presented as non-executing can exfiltrate local image content to remote storage, creating real confidentiality and cost impact.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This is the concrete manifestation of the dry-run flaw: by the time the script reaches the dry-run guard, local reference images may already have been uploaded to COS. A user relying on dry-run for safe testing could unintentionally disclose private local media to cloud storage and incur charges.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script goes beyond normal task execution by attempting to load Tencent Cloud credentials from system files when environment variables are missing. In an agent/skill context, this expands credential access scope and can cause the tool to silently use host-level secrets the operator did not intend to expose to this skill, increasing the risk of unauthorized cloud actions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script is presented as a task-status/detail query tool, but it also generates COS pre-signed download URLs for task outputs. This expands its capability from passive metadata retrieval to granting temporary access to output objects, which can expose processed media to whoever can view the terminal output, logs, or captured command results.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The loader is documented as managing a small set of MPS credentials, but it loads entire user-level files such as ~/.env, ~/.bashrc, and ~/.profile into the process. That broad import can unintentionally ingest unrelated secrets or attacker-controlled variables from the user's shell environment, expanding the trust boundary and enabling configuration poisoning or accidental exposure in later code paths.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The module is presented as a task polling utility, but it also contains helper functions that upload local files to COS, download remote task outputs to the local filesystem, and generate HTML artifacts. This scope mismatch is dangerous in an agent/tooling context because reviewers or orchestrators may grant it broader trust than intended, enabling unexpected data exfiltration or local file writes through imported helper functions.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The CLI/help text advertises only polling behavior, while the file also implements upload, download, and artifact-generation functions. In security-sensitive automation, misleading operational descriptions can bypass approval boundaries and cause users or agents to underestimate side effects.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The script’s help/documentation emphasizes URL/COS media processing, but the implementation also supports implicit local-file upload to COS and optional automatic download of outputs to local disk. This mismatch is security-relevant because users may unintentionally cause data exfiltration to cloud storage or local file writes they did not expect, especially in an agent setting where tools may run with ambient filesystem access.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documentation materially understates the script's behavior: beyond URL/COS transcoding, the code can upload local files to COS and later download outputs or generate local comparison artifacts. In an agent setting, this can cause unintended data movement between local storage and cloud storage because operators may rely on the docs to judge whether sensitive local files will leave the host.

Description-Behavior Mismatch

Low
Confidence
85% confidence
Finding
The script performs additional side-effecting operations beyond its primary documented purpose: it can automatically upload local files to COS and download generated outputs to the local filesystem. Hidden or under-documented file transfer behavior is security-relevant because users may unknowingly transmit sensitive media to cloud storage or write files locally, especially in an agent/skill context where tools may be invoked indirectly.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The description contains a very broad set of trigger phrases spanning many generic media and AI tasks, which increases the chance the skill activates for ambiguous or only loosely related requests. Over-triggering is dangerous here because the skill can drive billed cloud processing, local file handling, COS operations, and task submission, so accidental invocation can lead to unwanted data exposure or charges.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description enumerates a very large set of broad trigger phrases, including generic media terms such as OCR, ASR, translation, background generation, video understanding, and task/query operations. This can cause the skill to activate on ordinary user requests that merely mention common media-processing concepts, leading to over-triggering, unintended tool use, and possible exposure of connected storage/task-management capabilities such as COS upload/download or environment checks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation states that local reference images are automatically uploaded to COS and then passed to the API, but it does not clearly warn users that local files will be transmitted to remote cloud storage and exposed via generated pre-signed URLs. In a media-processing skill, users may reasonably assume local-path inputs stay local, so this omission can lead to unintended disclosure of sensitive images or regulated data.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The file instructs users to configure `TENCENTCLOUD_SECRET_ID/KEY` for signing and uploads but does not provide basic guidance on secure credential handling. This increases the chance that users will place long-lived secrets in shell history, scripts, logs, or shared environments, leading to credential exposure and unauthorized cloud access.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation exposes capabilities to upload local files to COS/API and to write generated outputs into a local directory, but it does not clearly warn users that local content may leave the machine or that files will be written to disk. In an agent setting, this can lead to unintended exfiltration of sensitive local media or unanticipated local file writes when a user asks for video generation without understanding the data flow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly encourages users to submit local files and remote media URLs to Tencent Cloud MPS for analysis, but it does not warn that doing so transmits potentially sensitive audio/video content to a third-party cloud service. In a media-understanding skill, this omission is materially relevant because users may unknowingly upload private recordings, faces, voices, subtitles, or confidential business content for processing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs users to upload, process, optionally download, and generate presigned URLs for video content without any warning about privacy, consent, retention, or handling of potentially sensitive media. Because videos may contain faces, voices, license plates, or confidential scenes, the omission can lead users to transfer regulated or personal data to cloud storage and processing pipelines without informed safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document promotes voice cloning and voice replacement of real voices but provides no consent, authorization, privacy, or anti-impersonation safeguards. In a media-processing skill, this omission materially increases misuse risk because users are given operational instructions for cloning and re-voicing without any boundary conditions, enabling fraud, impersonation, or non-consensual synthetic media generation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that verbose mode prints full request parameters and responses, which can expose sensitive text content, source URLs, callback URLs, COS locations, and voice identifiers in logs or terminals. In shared environments, CI logs, support bundles, or agent traces, this can leak user data and operational secrets beyond the intended audience.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes behaviors that can automatically upload local files to COS, download processed outputs to a local directory, and send task-completion callbacks to a user-supplied URL, but it does not prominently warn users that invoking these options transfers data off-host and may write files locally. In a media-processing skill, these are expected features, but failing to clearly disclose them can lead to unintended data exfiltration, privacy issues, or overwriting/writing files in sensitive locations when users or downstream agents follow the examples blindly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown describes automatic upload of local files to COS but does not warn users that local content may leave the machine, be stored remotely, or be subject to cloud access controls and retention. For a media-processing skill, uploaded files may contain sensitive personal, proprietary, or regulated content, so silent transfer materially increases privacy and compliance risk.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The examples promote watermark removal without any authorization, ownership, or lawful-use restriction. In this skill context, watermark removal is a content-manipulation capability that can facilitate copyright circumvention, provenance removal, or misuse of third-party media, so the lack of guardrails makes the documentation riskier than a neutral technical reference.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal