ClawHub

Segment Anything

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised image background removal, but first use may install an unpinned GitHub dependency and download large model files.

Install only if you are comfortable with first-run network access, a runtime pip install from GitHub, and large model downloads cached locally. For stricter environments, preinstall a reviewed segment_anything version yourself and use a verified local --checkpoint file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from segment_anything import SamPredictor, sam_model_registry
    except ImportError:
        print("正在安装 segment_anything...")
        os.system("pip install git+https://github.com/facebookresearch/segment-anything.git -q")
        from segment_anything import SamPredictor, sam_model_registry

    import torch
Confidence
98% confidence
Finding
os.system("pip install git+https://github.com/facebookresearch/segment-anything.git -q")

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation explicitly states that it can automatically download model weights and install the `segment_anything` package from GitHub at runtime, which introduces undeclared network and shell-like package execution behavior. In a skill system, hidden outbound downloads and dynamic installation expand the trust boundary, reduce reproducibility, and create supply-chain risk if a remote dependency or downloaded artifact is compromised.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose is simple background removal, but the documented behavior includes automatic network downloads, dynamic dependency installation, and an `--all` mode that extracts multiple independent elements from an image. This mismatch is security-relevant because users and policy engines may approve a seemingly narrow image-editing skill without realizing it performs broader actions and external fetches, enabling unexpected data handling and supply-chain exposure.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill's stated purpose is image segmentation, but it also performs network-driven dependency installation as a side effect during normal execution. That hidden capability makes the skill more dangerous in context because users invoking a local image tool would not reasonably expect it to fetch and execute remote code automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatically installing an external package without clear up-front disclosure deprives users of informed consent for network access and code execution. While not inherently malicious, this increases the chance of unexpected system modification, supply-chain compromise, or policy violations in restricted environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal