ͼ��

Security checks across malware telemetry and agentic risk

Overview

This image-quality skill needs review because it includes remote media upload, identity handling, token persistence, and face/health analysis behavior beyond its stated purpose.

Install only after reviewing the publisher and confirming you want cloud processing of surveillance media and identifiers. Avoid using it with footage containing people or sensitive locations unless the remote service, retention, consent, and token-storage practices are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (25)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 85% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 84% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to read local configuration files and treat an api-key as an open-id before running analysis. For an image-quality tool, harvesting identifiers or secrets from local config is unnecessary and risks exposing credentials or repurposing secrets for remote API calls without informed user approval.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill claims to analyze image quality but also includes cloud history-report retrieval and listing behavior. While not inherently malicious, this expands the data-access scope from single-image processing to historical record access, which can expose prior analyses and metadata beyond what a user may expect from a simple detection tool.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The API documentation claims to support generic video/image quality analysis, but the documented response returns face detection and health/constitution diagnosis data that is unrelated to the declared skill purpose. This mismatch is dangerous because it can conceal undeclared biometric and sensitive health inference processing behind an innocuous surveillance-quality feature, undermining informed consent, review, and policy enforcement.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The documented output includes face detection and health diagnosis capabilities that exceed the stated purpose of camera footage quality detection. In this context, scope expansion is especially risky because surveillance footage may contain identifiable individuals, so undeclared biometric and physiological inference can introduce serious privacy, compliance, and misuse concerns.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Health and physiological inference from video is context-inappropriate for a camera footage quality detection skill and involves highly sensitive categories of personal data. Presenting organ-condition and constitution analysis in this setting increases the risk of covert profiling, unsupported medical inference, and collection of sensitive information without user expectation or authorization.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill declares an image-quality detection purpose, but the response parsing explicitly supports `healthAiResponse` and later code also references face/health analysis structures. This indicates capability drift or code reuse from a different domain, which can cause the skill to process or expose sensitive health-related outputs that users did not intend to invoke, creating a privacy and trust boundary violation.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The historical report listing extracts `healthAssessment.subject` from `healthAiResponse` or `faceAnalysisResponse` instead of image-quality findings, directly contradicting the stated surveillance/image QA purpose. That can surface unrelated and potentially sensitive inference results in a context where operators expect only camera-quality diagnostics, increasing the risk of unauthorized disclosure and deceptive behavior.

Context-Inappropriate Capability

Medium

Confidence: 76% confidence
Finding: The history/listing capability can expose prior analysis outputs and associated user activity beyond the stated purpose of the skill. In a surveillance or camera-analysis context, historical results may reveal sensitive operational data, and this function is callable without any visible authorization checks in this file.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file defines a generic User/UserDao persistence layer even though the skill is described as image-quality detection analysis. This mismatch is dangerous because hidden user-account storage and management capabilities expand the attack surface and create opportunities for unnecessary collection or manipulation of identity data within a skill that should not need it.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The User model stores sensitive identity and credential-like fields such as username, email, token, and open_token, and the DAO supports modifying them. In the context of an image-quality detection skill, this is highly suspicious and materially increases the risk of credential retention, unintended local secret storage, and misuse of user data unrelated to the advertised function.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The DAO derives a workspace path from the OPENCLAW_WORKSPACE environment variable and creates a local database file under a data directory. For an analysis-focused image-quality skill, undisclosed filesystem writes and environment-aware persistence are risky because they introduce hidden state, broaden the skill's operational scope, and may store unrelated data in shared workspace locations.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This utility performs authenticated remote API calls, injects identity and tenant metadata, and includes logic to obtain tokens and provision accounts, which materially exceeds the stated purpose of image-quality detection. In this skill context, hidden account management and external service access are especially risky because users would not expect surveillance-image analysis code to create or authenticate users on their behalf.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The `_get_or_create_user` helper silently sends a username/mobile/openId to a remote `/sys/phoneLogin` endpoint with `register=1`, enabling automatic login or account creation without clear disclosure. For an image-quality analysis skill, this is unrelated functionality that can expose user identifiers and create accounts unexpectedly, increasing privacy and abuse risk.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code stores retrieved `token`, `openToken`, and user profile data via `user_dao.save`, creating local persistence of sensitive authentication material beyond the declared skill purpose. Persisting tokens increases the blast radius of local compromise and makes unauthorized reuse of credentials more likely.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Broad default trigger language can cause the skill to run in situations where the user did not intend to invoke remote analysis or file handling. In this context, unintended invocation is more dangerous because the skill can save uploaded files locally and call external services, potentially exposing surveillance imagery or operational metadata.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The automatic history-query trigger is based on broad natural-language phrases, which can cause unintended access to cloud-hosted report listings. Because those reports may contain sensitive monitoring artifacts or timestamps, accidental invocation can leak more information than the user intended to retrieve or display.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation does not clearly warn users that local image/video files and supplied URLs may be transmitted to a remote API. For surveillance and camera self-check scenarios, this omission is significant because footage can contain sensitive scenes, locations, or individuals, and silent upload changes the privacy and compliance posture of the tool.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation instructs users to upload videos or provide public video URLs but does not warn that the content may contain faces or other sensitive personal data, nor does it explain handling requirements. Given the same document later describes face and health-related analysis, the absence of privacy notice materially increases the chance of improper collection, transfer, and processing of sensitive footage.

Natural-Language Policy Violations

Low

Confidence: 83% confidence
Finding: The documentation presents health and constitution diagnosis as straightforward output without qualification, validation limits, or disclaimers. While this is less severe than covert scope expansion, it is still risky because users may treat speculative or non-clinical outputs as medically meaningful, creating policy, trust, and downstream harm issues.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code reads the entire local file and uploads it to the remote analysis API without any user-facing disclosure, consent prompt, or minimization visible in this file. For surveillance footage, this can expose sensitive video contents, locations, or bystanders to an external service unexpectedly, making the privacy risk significant in this skill context.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The CLI requires an open_id that may be a username, phone number, or other sensitive identifier, but the code provides no privacy notice, minimization, masking, or handling constraints. In combination with analysis/history features, this increases the risk of unnecessary collection and potential disclosure of personally identifiable information.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: When debug mode is enabled, the code turns on low-level HTTP logging for `urllib3` and `http.client`, which can expose request URLs, headers, payloads, and responses. Because this same file handles tokens and user identity fields, debug output may leak secrets or personal data into logs without any user-facing warning.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The request utility automatically attaches user identity (`pnaUserName`), tenant code, app identifiers, and authentication headers to outbound requests with no evident consent or purpose limitation. In a camera image-quality skill, undisclosed transmission of identity and auth data is more dangerous because the functionality appears unrelated to the user-visible feature set.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal