ClawHub

Segment Anything

Security checks across malware telemetry and agentic risk

Overview

This skill does local image background removal as described, but first use can install an unpinned GitHub package and download large SAM model files.

Install this only in an environment where you are comfortable with first-run network access, a large model download to ~/.cache/sam, and a runtime pip install from the Segment Anything GitHub repository. For tighter control, preinstall and pin dependencies yourself and use a local checkpoint path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from segment_anything import SamPredictor, sam_model_registry
    except ImportError:
        print("Installing segment_anything...")
        os.system("pip install git+https://github.com/facebookresearch/segment-anything.git -q")
        from segment_anything import SamPredictor, sam_model_registry

    import torch
Confidence
98% confidence
Finding
os.system("pip install git+https://github.com/facebookresearch/segment-anything.git -q")

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation and metadata indicate shell execution and network activity (auto-installing `segment_anything`, downloading checkpoints, and writing to `~/.cache/sam/`) without any declared permissions or explicit capability disclosure. This is dangerous because users and orchestration systems may treat the skill as local-only image processing while it can fetch remote code/artifacts and execute package installation commands, expanding the trust boundary and supply-chain risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code performs a runtime installation of an external package via shell command, which is unnecessary from a security standpoint and materially increases risk. Because the installed package is fetched from a remote repository at execution time and then imported, an attacker who can influence that source or the installation process can achieve arbitrary code execution in the host environment.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill says `segment_anything` is auto-installed on first run and checkpoints are auto-downloaded to `~/.cache/sam/`, but the description does not clearly warn users about network access and local writes before execution. While expected for ML tooling, undisclosed downloads and cache writes reduce informed consent, can surprise users in restricted environments, and may expose them to bandwidth, storage, or supply-chain concerns.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script installs external code without explicit user confirmation or warning, causing side effects beyond the expected task of local image processing. In an automated agent or server environment, this can unexpectedly modify the runtime, consume network access, and pull unreviewed code into execution, increasing supply-chain and operational risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal