ClawHub

�������μ�⼼��

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it appears to upload sensitive surveillance video and identifiers to a cloud service while bundling broader face, health, account, and history features than its human-detection purpose explains.

Review before installing. Use only if you trust the publisher and backend with identifiable surveillance footage, open-id values, report history, and locally stored account tokens. Require clear answers on what video is uploaded, what is retained, how history is authorized, how tokens are protected, and why face/health/pet-analysis components are present in a human-detection skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest presents the skill as human detection, but the body also specifies automatic local file saving and cloud-based history/report operations tied to user identifiers. This is a scope expansion beyond the stated purpose, which can mislead users and reviewers about data handling, retention, and external transmission.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs collection of an open-id from local config files or directly from the user, then uses it to save and query reports. This introduces identity handling and possible secret/config harvesting that is not necessary for basic video analysis, increasing privacy risk and the chance of unauthorized access to another user's reports if identifiers are reused or discovered.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The file documents pet health analysis endpoints inside a skill advertised as human-detection analysis, creating a strong capability and domain mismatch. This can mislead operators, cause the wrong backend to be invoked, and indicate copied or misplaced integration material that may expose unrelated sensitive systems or data paths.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documented API behavior materially contradicts the stated purpose of the skill. Instead of area-based human detection for access monitoring, it describes face detection plus health/constitution diagnosis from video, which indicates undocumented sensitive processing and creates a strong risk of deceptive capability scoping and misuse of biometric data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Inferring health or constitution from video is highly sensitive biometric/health profiling and is unjustified for a personnel-detection monitoring skill. This expands the system from simple presence detection into invasive surveillance that can enable discrimination, privacy violations, and non-consensual medical inference.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file documents uploaded/public video analysis for face detection and diagnosis rather than monitoring people entering a target area. This mismatch makes the skill more dangerous because operators may deploy it expecting limited surveillance while it actually supports broader identity-linked and sensitive analysis of video subjects.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implementation does not appear limited to human/person detection on video streams as described by the skill metadata. Instead, it acts as a generic wrapper around remote analysis/report APIs, creating a capability mismatch that can cause users to submit sensitive surveillance video or files to a broader backend than expected, increasing the risk of undisclosed data processing and misuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code explicitly processes `healthAiResponse` and later `faceAnalysisResponse`, which are unrelated to simple personnel-presence detection. In a surveillance/video-monitoring context, hidden health or face-analysis capability materially increases privacy and compliance risk because it expands processing into biometric or sensitive-inference domains beyond the stated function.

Context-Inappropriate Capability

Low
Confidence
74% confidence
Finding
The `show_analyze_list` path exposes a history-listing capability unrelated to the stated human-detection purpose, increasing the accessible data surface. In a monitoring context, historical analysis records may contain sensitive metadata or prior surveillance results, and bundling this into the same skill can enable unnecessary access to retained records beyond the immediate task.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This file exposes generic HTTP client wrappers (`http_get`, `http_post`, `http_put`, `http_delete`) that can send arbitrary requests to caller-supplied URLs. For a skill described as human/person detection analysis, this broad network capability is not constrained to the stated purpose and could be abused by other components to exfiltrate data, contact unexpected endpoints, or perform unauthorized actions.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The `add`, `edit`, and `delete` methods provide generic remote state-changing operations with no visible scoping to personnel-detection functionality. In the context of a monitoring skill, exposing broad CRUD-style mutation endpoints increases the attack surface and may enable unauthorized modification or deletion of remote resources if these methods are reachable with untrusted input.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This file defines a full user-account persistence layer storing usernames, email, birthday, age, token, and open_token, which is unrelated to a human-detection skill's stated purpose. That expands the skill into identity and credential handling, increasing the blast radius for privacy violations, token leakage, unauthorized account correlation, and misuse of collected personal data.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The DAO automatically creates and alters a local SQLite schema at runtime, including writing into a workspace-derived data directory. For a detection-oriented skill, undeclared persistent storage and schema mutation introduce unnecessary statefulness, make forensic review harder, and create risk of unauthorized retention of operational or personal data.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The utility layer performs automatic account creation/login, retrieves tokens, and persists credentials via local DAO logic even though this file is presented as generic helper code for a human-detection skill. That broadens the skill's privileges and creates hidden identity, authentication, and persistence behavior that could create or reuse accounts without clear user consent, increasing the risk of unauthorized API access and credential misuse.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
On HTTP 402, the code injects unrelated instructions to install a payment skill and recharge an account, which is behavior unrelated to human detection and indicates hidden cross-skill monetization flow. This can manipulate users into installing additional capabilities and obscures the real failure path, creating social-engineering and supply-chain expansion risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The default trigger condition activates whenever a user provides a monitoring video URL or file for human detection, which is broad enough to cause unintended automatic execution. In a skill that uploads or processes surveillance footage, over-broad triggering increases the chance of processing sensitive videos without sufficiently explicit user intent or consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The history-report query is auto-triggered by broad keywords like viewing reports or history, without clear scope checks. Because these actions retrieve cloud-stored, user-linked records, ambiguous triggering can expose sensitive historical surveillance reports when the user did not clearly request that operation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that uploaded attachments or video files are automatically saved locally, but the description does not clearly warn users about this persistence behavior. Silent local storage of surveillance footage can create privacy, retention, and forensic exposure risks, especially on shared or insecure hosts.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill handles surveillance video and user identifiers, then sends data to a cloud API, but the description lacks an explicit privacy warning about this external transfer. Because the content may contain sensitive footage and identity-linked report history, undisclosed cloud transmission materially increases privacy, compliance, and data leakage risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script requires an `--open-id` and stores it for subsequent operations, but it provides no user-facing notice about why this sensitive identifier is needed, how it will be used, or whether it will be transmitted or retained. In a personnel-monitoring skill, this creates privacy and compliance risk because operators may unknowingly process personally identifiable information while also handling surveillance-related outputs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function submits either a local file path or remote video URL to `skill.get_output_analysis(...)` for analysis without any explicit warning that video data may be sent to an external service. Because this skill performs human detection in parks, offices, and restricted areas, the transmitted content may contain surveillance footage and personal data, making undisclosed remote processing a meaningful privacy and policy risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation encourages uploading videos or supplying public video URLs but provides no privacy, retention, consent, or data-handling guidance. Because the content may include identifiable people and potentially sensitive footage, the absence of these warnings increases the chance of unlawful or unsafe collection and transfer of personal data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code reads the entire local file and sends it to a remote analysis service without any user-facing notice, consent step, or minimization in this path. For a skill handling office, park, or restricted-area video, that can expose sensitive footage, identities, and location information to an external service unexpectedly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script collects an `open-id` plus a local file path or remote video URL and submits the content for backend analysis via `skill.get_output_analysis(...)`, but it provides no clear user-facing notice that identifiers and potentially sensitive surveillance footage will be transmitted to an external service. In the context of personnel detection for parks, offices, and restricted areas, this creates meaningful privacy and data-handling risk because users may unknowingly send personally identifiable and security-sensitive video data off-device.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Debug mode enables low-level HTTPConnection and urllib3 logging globally, which can expose request URLs, headers, bodies, and responses containing tokens, user identifiers, or sensitive image-analysis metadata. Because this is activated centrally and without any user-facing warning or redaction guarantees, it materially increases the chance of credential and data leakage through logs.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal