ClawHub

Fish Respiratory Rate (Gill Opening / Closing) Monitor | 鱼类呼吸频率(鳃盖开合)监测

Security checks across malware telemetry and agentic risk

Overview

The skill’s fish-video analysis purpose is plausible, but it bundles and reaches account login, token storage, cloud history, and broad backend utilities that are not clearly scoped for users.

Install only if you are comfortable sending aquarium videos or URLs to the publisher’s remote services and using an open-id, username, or phone number for cloud history. Review or remove the silent login/registration path, token/profile SQLite storage, invalid yaml dependency, unrelated reference docs, and broad shared API utilities before approving for general use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises a simple fish respiratory-rate analysis workflow, but the documentation indicates access to environment variables, local files, shell commands, networking, and file writes without declaring corresponding permissions. This creates a transparency and least-privilege problem: users and reviewers cannot accurately assess what sensitive resources the skill may access, increasing the risk of unintended credential exposure, data exfiltration, or unsafe execution paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is local fish-video analysis and alerting, but the skill also describes undisclosed external API usage, implicit account/login behavior, local token persistence, and cloud history retrieval. This mismatch is dangerous because users may provide videos and identifiers under the assumption of narrow analysis, while the skill actually performs identity-linked remote processing and storage beyond the stated scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read local configuration files and treat an api-key as an open-id for subsequent operations. Accessing nearby configuration secrets is not necessary for basic fish-video analysis and risks credential repurposing, secret leakage, and cross-skill privilege abuse if unrelated API keys are harvested from the workspace.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill extends beyond one-time analysis by mandating cloud history queries and user-specific report retrieval. This broadens the data-processing scope to longitudinal, identity-linked records, which increases privacy risk and creates opportunities for unauthorized access to past reports if identifiers are misused or insufficiently validated.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The documentation states that uploaded videos are automatically saved locally, but this behavior is not clearly reflected in the high-level description. Silent local persistence of media can expose sensitive user data, increase retention risk, and create forensic artifacts on disk without informed consent.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented response schema is for human face detection and health/constitution diagnosis, which is materially inconsistent with the stated fish respiratory-rate monitoring skill. This mismatch can cause the agent or integrators to send aquarium video to an unrelated biometric/health-analysis backend, creating serious integrity and privacy risks and strongly suggesting the referenced API is incorrect, repurposed, or deceptive.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The API is documented as a generic 'common-analysis' video endpoint with only video upload/URL inputs and no fish-specific semantics, constraints, or outputs. In the context of a narrowly scoped fish respiration skill, this raises supply-chain and data-handling concerns because consumers cannot tell what analysis is actually performed or where the video is processed.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill accepts arbitrary http/https URLs and forwards them to backend analysis as `videoUrl` without restricting domain, source, or relation to the aquarium-camera use case. This broadens the skill from fixed-camera local monitoring to general remote content ingestion, which can enable misuse of the backend for unintended external resource access, privacy issues, or policy bypass relative to the declared purpose.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The script exposes a history-listing capability keyed only by an `open_id`, and the accepted values include usernames and phone numbers. In this wrapper there is no visible authentication, authorization, or privacy notice before retrieving historical analysis data, creating a risk of user data enumeration or unauthorized access if the backend does not enforce strict checks.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
This file exposes a generic remote-operation layer with add/edit/delete and arbitrary HTTP GET/POST/PUT/DELETE helpers that are not scoped to the stated fish respiratory monitoring purpose. In an agent skill context, this broad capability expands the attack surface and can enable unintended backend access, data manipulation, or use of the skill as a proxy for unrelated network operations if higher layers pass attacker-controlled URLs or parameters.

Description-Behavior Mismatch

High
Confidence
88% confidence
Finding
The implementation is centered on generic backend API access rather than any fish video analysis, respiratory-rate computation, or hypoxia-warning logic described in the skill metadata. That mismatch is dangerous because it indicates hidden or overbroad capabilities unrelated to the advertised purpose, increasing the likelihood of privilege misuse, covert data access, or repurposing the skill for backend manipulation.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
This shared configuration exposes or enables connectivity to multiple external service endpoints that are not clearly necessary for a fish respiratory-rate monitoring skill. Unnecessary external integrations increase the attack surface, create opportunities for unintended data exfiltration or cross-service access, and are especially concerning here because one endpoint uses plain HTTP rather than HTTPS.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
Including Feishu app integration settings in a skill whose stated purpose is aquarium video analysis suggests over-privileged shared configuration and unnecessary messaging platform capability. Even if secrets are blank in this file, the presence of these identifiers can facilitate unauthorized notification workflows, data leakage to third-party platforms, or later secret injection through environment-specific deployment.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements a generic user-account DAO and account lookup/update operations that are unrelated to the declared fish respiratory monitoring purpose. In a narrow-purpose skill, hidden user/account management expands the data-handling surface and can facilitate unnecessary collection, storage, and modification of user records beyond what the user would reasonably expect.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores authentication and profile-related data including token, open_token, email, birthday, age, and sex, which are unrelated to aquarium respiratory monitoring. Collecting and persisting this sensitive data without a clear functional need materially increases privacy risk, breach impact, and the chance of secondary misuse if the local database is accessed by other components or attackers.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code derives the database location from OPENCLAW_WORKSPACE and writes under a shared workspace data directory, coupling this skill to broader host storage. In the context of a simple fish-monitoring skill, that broader access pattern is unjustified and increases the chance of unintended cross-skill data exposure, data mixing, or writing into sensitive host-managed locations.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This utility code includes remote login/account creation, token persistence, and payment/recharge handling that are unrelated to fish respiratory-rate monitoring. Bundling unrelated platform account and billing logic into a monitoring skill expands the attack surface, can trigger unexpected outbound actions using user identifiers, and creates hidden dependencies on external services without clear user consent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can automatically call a remote /sys/phoneLogin endpoint with a supplied username/mobile, using register=1 and silent=1, effectively creating or logging into accounts without visible user interaction. For an aquarium monitoring skill, this is unjustified and dangerous because it may expose personal identifiers, create unauthorized accounts, and obtain tokens for downstream API use.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The presence of recharge/payment instructions in a fish monitoring skill indicates unrelated monetization logic embedded in request handling. While the text itself is not code execution, it reflects coupling to a billing workflow that can mislead users, normalize hidden payment dependencies, and obscure what the skill is actually doing when requests fail.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger rules are broad enough to auto-activate on generic fish-health or video-analysis requests, which can cause the skill to run unexpectedly, collect inputs, save files, or contact remote services without sufficiently specific user intent. Over-broad activation is especially risky here because the skill also performs identity-linked cloud operations and local persistence.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description does not clearly warn users that uploaded videos will be automatically saved locally. Missing privacy notice reduces informed consent and can lead users to share media they would not have uploaded had they known it would persist on disk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill omits a clear warning that historical reports are fetched from a cloud API using user identifiers such as open-id/username/phone. This is dangerous because it introduces identity-linked remote data access and possible account correlation without transparent disclosure, which can surprise users and undermine privacy expectations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation instructs users to upload video files or provide public video URLs but gives no warning about transmitting footage to a remote server, exposing publicly accessible URLs, or possible retention/logging of submitted media. Even though the intended subject is fish, aquarium video can still reveal homes, labs, facilities, or other sensitive environmental details, so omission of privacy guidance is a real security weakness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The docs require an X-API-Key header but do not warn users to protect secrets, avoid embedding keys in client-side code, or rotate/revoke exposed credentials. This omission increases the chance of accidental credential leakage through source control, logs, shared screenshots, or browser/mobile clients, which could enable unauthorized API use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code reads arbitrary local files and sends their full contents to the analysis service, but this file provides no user-facing warning, confirmation, or limitation beyond extension and size checks. In a skill advertised as aquarium respiratory monitoring, silent upload of local video files can expose sensitive recordings or unrelated local media to a remote service without clear consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal