ClawHub
Back to skill

Security audit

PV Inspection

Security checks across malware telemetry and agentic risk

Overview

This is a local photovoltaic inspection report helper, but its generated reports should be treated as drafts because some advertised data and export features are incomplete or placeholder-based.

Install only if users understand that generated reports may contain sample or placeholder data unless verified and replaced with authoritative monitoring data. Keep reports local by default, review persisted defect records, and require explicit recipient confirmation before sending reports through Feishu, email, or any external channel.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill claims to generate standardized reports, statistics, and Word/PDF exports, but the described implementation appears to rely on placeholder content, simulated fixed data, and incomplete export support. In an operational photovoltaic inspection context, this can mislead users into trusting inaccurate reports, causing missed defects, incorrect production analysis, and unsafe maintenance decisions.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill explicitly supports sending inspection reports through Feishu or email but does not warn about external sharing of potentially sensitive operational data such as station names, defect details, equipment status, and photos. This increases the risk of inadvertent disclosure to unauthorized recipients or transmission over channels that do not meet organizational security requirements.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.