ClawHub

鱼类水族宠物健康诊断分析工具

Security checks across malware telemetry and agentic risk

Overview

This skill can analyze aquarium videos, but it also has under-disclosed account, token, history, and bundled face-analysis behavior that users should review before installing.

Install only if you are comfortable sending aquarium media and a stable identifier to the publisher’s remote services, and with the skill creating or reusing account tokens locally. Review or remove the bundled face-analysis code, local token persistence, history listing, and payment/account flows before routine use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (40)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to read workspace configuration files to obtain an api-key and repurpose it as the user's open-id, which is unrelated to the user-supplied fish video analysis task. This crosses a trust boundary by harvesting local configuration secrets/identifiers from the workspace and using them in outbound API calls, potentially exposing internal credentials and misattributing requests.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata describes aquatic pet health analysis, but this API service also exposes generic page/list/add/edit/delete operations. That broadens the skill's capability beyond the declared purpose and can enable unauthorized record management or destructive actions if these methods are reachable through the skill flow or reused by other components.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill manifest describes single video health diagnosis, but the code also exposes analysis-history listing via `show_analyze_list()`. That expands the data-access scope beyond the stated purpose and can expose prior user analyses or metadata if invoked without clear authorization and disclosure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script requires `--open-id` and uses it for account-scoped operations, including history access, even though the stated purpose is only video health analysis. Collecting a user identifier unrelated to the minimum necessary function increases privacy risk and can enable unauthorized access patterns if identifiers are guessed, reused, or mishandled.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill claims to perform aquatic pet health diagnosis, but it inherits behavior from a face-analysis skill. That creates a strong risk that user-supplied pet videos are processed by logic, prompts, API calls, or validation routines intended for human face analysis, causing unintended data handling, incorrect model selection, or misleading medical-style output. In a health-diagnosis context, this mismatch is more dangerous because users may rely on incorrect assessments for pet care decisions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README documents a human face health-analysis skill while the provided skill metadata claims the skill is for aquarium pet health diagnosis. This kind of capability/identity mismatch is dangerous because it can mislead reviewers and users about what data is actually collected and processed, potentially causing unexpected transmission of sensitive human biometric and health-related video to a backend API.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented behavior clearly targets human face diagnosis, not aquatic pet video analysis as declared in the manifest. In skill ecosystems, this is a serious trust and security issue because users may provide content under false assumptions, and the system may route or approve a skill for a benign pet-health use case while it actually handles sensitive human health and facial data.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The referenced API documentation clearly targets human face analysis and pseudo-medical constitution/organ diagnosis, not aquatic pet health analysis. This mismatch is dangerous because it suggests the skill may collect and transmit human biometric video data under a misleading aquarium-health purpose, creating a serious risk of deceptive data handling and unauthorized sensitive-data processing.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file's stated API behavior contradicts the skill's declared aquarium-diagnosis purpose, indicating either severe implementation confusion or possible deceptive repurposing. In this skill context, users are expected to upload pet videos, so routing that content to a face-analysis service materially increases the risk of misuse, privacy violations, and invalid medical-style outputs unrelated to the advertised function.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file exposes generic CRUD-style operations such as page, list, add, edit, and delete that are not justified by the stated aquarium health analysis purpose. In a skill that should only submit videos for diagnosis and retrieve results, extra record-management surfaces expand the attack surface and may enable unauthorized data manipulation if reachable through the skill.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The implementation lives under a face_analysis path and appears to reuse face-analysis infrastructure despite the skill being described as aquarium pet diagnosis. This mismatch is dangerous because capability and data-flow reuse from an unrelated domain can hide unintended endpoints, permissions, or data handling inconsistent with user expectations, increasing the risk of covert collection or misuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill includes a delete operation keyed by cameraSn, which is unrelated to analyzing uploaded fish or aquarium videos for health issues. If exposed, this could let the skill delete camera-associated records or devices, creating destructive impact well beyond the user’s expected diagnostic workflow.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file content clearly describes and configures a face/TCM health analysis workflow, while the skill manifest claims the skill performs aquarium pet health diagnosis. This kind of capability mismatch is dangerous because user-provided animal videos could be routed to an unrelated human-health analysis backend, causing deceptive behavior, privacy/compliance issues, and potential misuse of uploaded media.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code clearly implements human face diagnosis and outputs a 中医面诊分析报告, which conflicts with the manifest describing aquatic pet health analysis. This mismatch is security-relevant because users may submit sensitive human biometric/health-related video under false or misleading skill labeling, causing unauthorized collection and processing of highly sensitive personal data.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The comments and function names describe generic video analysis, but the actual semantics route into face diagnosis and face-analysis-specific result handling. This inconsistency increases the chance that reviewers, operators, or users misunderstand what data is being analyzed and transmitted, which is especially risky when the underlying function appears to process sensitive human imagery and inferred health information.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill manifest says this capability analyzes aquatic pet videos, but the implementation outputs 'face diagnosis' results and export links. This mismatch is dangerous because users may submit sensitive media under false pretenses, causing unauthorized collection or processing by a different backend than the one implied by the skill description.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The input handling and report-listing logic are explicitly built around face-analysis workflows rather than aquatic pet health analysis. In this context, the mismatch can misroute user-provided videos or URLs to an unrelated medical/biometric analysis service, creating privacy, consent, and data-governance risks.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The inline documentation states the function retrieves face-diagnosis report lists, contradicting the aquarium-analysis manifest. While comments alone are not executable, here they corroborate that the implementation was repurposed from another skill and increase the likelihood of users being misled about what data is processed.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The alternate report-list method is also documented as handling face-diagnosis reports, reinforcing that the code does not match the declared skill purpose. This inconsistency is risky because it obscures true processing behavior and can hide unauthorized handling of user media or derived health-like results.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The list method calls page(1, ApiEnum.DEFAULT__PAGE_SIZE_MAX, *args, **argss), but page expects the first argument to be a URL. This means the integer 1 is passed as the URL and the page size max becomes the page number, causing malformed requests and potentially redirecting traffic to a caller-supplied url hidden in kwargs, creating confusing behavior that can bypass intended endpoint selection or validation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file defines a generic local persistence layer and a user-account model for storing user metadata, which exceeds the narrowly described aquarium health video analysis purpose. This kind of hidden or unjustified data handling increases privacy and abuse risk because it creates durable state about users without a clear functional need in the manifest. The mismatch in purpose makes the behavior more suspicious in this skill context, not less.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores token and open_token values locally, along with username and email, even though aquarium video diagnosis does not require local credential storage. Storing tokens in plaintext in a local SQLite database materially increases the risk of credential theft, account takeover, and unauthorized API access if the host or workspace is compromised. In this context, the behavior is especially dangerous because it is unrelated to the declared skill purpose.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file introduces a general-purpose AI agent invocation method (`ai_chat`) that is not necessary for aquatic pet video health analysis. Even though the subprocess execution is currently commented out, embedding unrelated agent-execution capability expands the skill's attack surface and could enable prompt-driven secondary actions if later re-enabled or called elsewhere.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The HTTP utility contains hidden account bootstrap behavior: it will auto-login or auto-register a user against a health backend using a username/openId/mobile and then persist returned tokens. That exceeds the stated purpose of aquatic pet video analysis and creates an undisclosed identity/account side effect, potentially exposing user identifiers to a separate service and enrolling users without informed consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The utility injects recharge/payment workflow instructions when a backend returns status 402, including directions to install another payment skill. This is unrelated to fish health analysis and indicates the skill can drive users into additional account/payment flows not evident from its description, increasing phishing-like risk and scope creep.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal