ClawHub

安全驾驶行为分析工具

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as a driving-video analyzer, but it bundles under-disclosed face/health analysis code plus account, token, and cloud-history behavior that users should review carefully.

Install only if you are comfortable sending driving videos or video URLs plus a user identifier to the provider's cloud service, and avoid using a phone number or other sensitive identifier as open-id. The publisher should separate or remove the face/health-analysis components, clearly disclose cloud processing and token storage, and tighten identity handling before this should be treated as a normal driving-analysis skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (25)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The open-id flow is internally inconsistent: one section says execution must stop until a valid open-id is obtained, while nearby text allows continuing if the user refuses to provide one. In practice, such contradictions often lead agents or wrapper code to bypass identity validation, causing misattributed report storage, unauthorized access to another user's history, or processing under an unintended identifier.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The examples repeatedly use a placeholder-like open-id value despite earlier rules forbidding assumed or generated identifiers. Users or agents may copy these commands verbatim, leading to cross-tenant data mixing, overwriting shared records, or retrieving another party's report history if the backend accepts the value.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The `--list` path exposes `show_analyze_list()`, which retrieves prior analysis records tied to the current user context without this capability being reflected in the stated skill purpose of analyzing uploaded driver videos. Scope expansion matters because history enumeration can reveal sensitive prior reports or metadata and increases privacy risk beyond one-shot analysis.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The code accepts an arbitrary `--url` and forwards it for processing, extending the skill from local video analysis into remote resource handling. In practice this can enable unintended fetching of attacker-controlled or internal URLs by downstream components, creating SSRF-like and privacy risks if the backend retrieves the content.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The README documents a Traditional Chinese Medicine face-analysis tool, while the skill metadata claims the skill analyzes driver behavior in vehicle videos. This mismatch is a serious integrity issue because it can mislead reviewers and users about the actual function and data being processed, potentially masking collection and transmission of facial/health-related data under an unrelated safety-analysis label.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documented API behavior materially conflicts with the skill's declared purpose: instead of analyzing unsafe driving behaviors, it performs face analysis and even returns health-style diagnostic inferences. This kind of scope mismatch is dangerous because it can conceal undeclared biometric and sensitive-attribute processing behind a seemingly unrelated road-safety skill, defeating user expectations, consent, and governance controls.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The response schema expands the skill from driving-behavior analysis into facial and health-related diagnosis, including organ-condition and complexion-based inferences. That is dangerous because it introduces processing of highly sensitive biometric and inferred health data that is unrelated to the stated safety-analysis function, increasing privacy, regulatory, and abuse risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Health and physiological diagnosis is unjustified in the context of a driver unsafe-behavior analysis skill, especially where the output includes organ-condition assessments and wellness warnings. Such inferences can be inaccurate, discriminatory, or unlawful to collect and process, and they create outsized harm if users did not knowingly submit data for medical or quasi-medical evaluation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file content clearly conflicts with the declared skill purpose: it is labeled and configured for face/health analysis, not driver video safety analysis. In an agent skill ecosystem, this mismatch can route sensitive user data to the wrong backend or cause operators to trust a capability that the code does not actually implement, creating a serious integrity and privacy risk.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The inline documentation explicitly identifies the module as a traditional Chinese medicine face-diagnosis analysis configuration, which directly contradicts the stated driver-analysis skill. This kind of deceptive or stale labeling increases the likelihood of misdeployment, hidden functionality, and accidental processing of biometric or health-related data under false pretenses.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation exposed to users is for TCM face-diagnosis, while the skill metadata claims driver unsafe-behavior video analysis. This mismatch is dangerous because users may upload driving footage or personally sensitive videos under false assumptions, causing improper handling of biometric/medical-like data and violating user consent and trust boundaries.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The function documentation says it analyzes video via an API, but the implementation routes input into a face-analysis workflow. Misleading API semantics can cause operators and downstream systems to invoke the skill on inappropriate content, increasing the risk of unauthorized biometric processing and compliance failures.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code clearly formats and exports 面诊/health-analysis results, not unsafe-driving behavior analysis as declared in the manifest. This semantic mismatch is dangerous because users may submit driver videos believing they are being analyzed for road-safety behavior while the skill may instead route data into a different face/health pipeline, creating deceptive functionality and potential misuse of sensitive biometric data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This function accepts local files or remote URLs for upload, but the surrounding parsing and output model indicate the backend is a face/health analysis service rather than a driver-safety detector. In context, that means potentially sensitive video is transmitted under false pretenses, increasing privacy, consent, and data-governance risk for uploaded driver footage.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The model stores authentication-like values (token, open_token) directly in a local SQLite database with no evidence of encryption, hashing, access controls, or minimization. If the database file is exposed through local compromise, backup leakage, or improper workspace permissions, those tokens could enable account takeover or unauthorized API access; this is especially concerning because token storage is unrelated to the stated driving-analysis purpose.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This utility performs broad authenticated API activity that goes well beyond a narrowly scoped driver-video analysis helper: it auto-discovers or creates users, injects tenant/platform/user identifiers, and manages reusable tokens for arbitrary requests. In the context of a skill advertised for driving-behavior video analysis, this hidden account and auth orchestration increases the blast radius of compromise and creates undisclosed backend access paths.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code contains payment and recharge workflow handling unrelated to the advertised function of analyzing unsafe driving behavior from video. Embedding monetization/account-balance logic inside a common request utility can steer users into unrelated actions and indicates the skill can trigger business-side flows not apparent from its stated purpose.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs uploading driving videos and associated identifiers to a remote API, but the description does not clearly warn users that sensitive biometric/behavioral video data and open-id values leave the local environment. This undermines informed consent and may violate privacy expectations or compliance requirements, especially because the content involves identifiable driver behavior and historical report retrieval.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to send local or remote face videos to an API service and describes health-oriented analysis results, but it does not clearly warn about the privacy and sensitivity of biometric and inferred health data. This is dangerous because users may unknowingly transmit highly sensitive personal data to third-party or self-hosted endpoints without consent, retention, or security expectations being made explicit.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API accepts uploaded videos or public video URLs for face analysis without warning users that biometric and potentially health-related data may be extracted and processed. In this skill context, that omission is more dangerous because the declared use case is driver behavior analysis, so users may not reasonably expect face or sensitive-trait analysis when sharing recordings.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends user-supplied local paths or remote URLs to backend analysis without a meaningful privacy warning or explicit confirmation, despite processing face-related video content. Because this likely involves biometric and potentially sensitive personal data, silent transmission to a backend can create privacy, consent, and regulatory risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code uploads local video content or submits remote URLs to a backend service without any user-facing warning, consent prompt, or disclosure in this file. Because the implementation appears to involve face/health analysis, the lack of transparency is more dangerous than a generic upload flow: users may unknowingly transmit biometric or sensitive personal data to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The request wrapper automatically transmits request bodies, params, and authentication headers to remote services without any visible confirmation or consent gate. Because it also enriches requests with tenant, platform, and username metadata, users may unknowingly send identifying and operational data to external systems whenever this helper is used.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The helper can remotely create or retrieve user accounts via /sys/phoneLogin using a username/mobile/openId-derived payload, and it does so automatically when tokens are absent. Silent account provisioning without explicit notice or consent is dangerous because it may register users in backend systems and associate their identifiers with services they did not knowingly join.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists remotely obtained user information and tokens locally through the DAO layer without any visible disclosure, consent, or storage protection details. Local persistence of reusable auth material increases the risk of credential theft, session misuse, and cross-feature backend access if the environment or storage layer is compromised.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal