ClawHub

宠物禁区预警技能

Security checks across malware telemetry and agentic risk

Overview

This pet-monitoring skill can upload private home video and identifiers to a cloud service while also performing under-disclosed account, token, history, and broader analysis behaviors.

Install only if you trust the publisher and remote service with household video, snapshots, report history, usernames or phone numbers, and locally stored service tokens. Confirm the service's retention, deletion, authorization, and pet-only processing guarantees before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (22)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Requiring an open-id sourced from config files or prompting for a username/phone number introduces collection and use of account-linked identifiers beyond what is necessary for analyzing a pet-monitoring video. Pulling identifiers from local config also risks silent cross-context data use, while asking for phone numbers expands personal data handling and privacy exposure.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill expands from real-time video analysis into cloud history listing and report retrieval, which is outside the core monitoring scope described in the manifest. That scope creep increases data access to stored reports and snapshots, creating unnecessary privacy and authorization risk if historical records are fetched or displayed without a clear need-to-know basis.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The examples repeatedly use a concrete open-id value while the text warns against assuming or generating one, which can normalize unsafe operator behavior. In practice, users or downstream agents may copy the example verbatim, causing report mix-ups, unauthorized access under a shared identifier, or accidental data association across accounts.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The function accepts an arbitrary remote URL and forwards it to backend analysis without any apparent allowlist, scope restriction, or validation that it is actually a pet-monitoring source. This expands the skill from local home pet monitoring into a generic remote video ingestion capability, which can be abused to analyze unrelated third-party content or trigger backend access to attacker-controlled endpoints.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The history-listing function retrieves prior analysis results based only on a supplied open_id/user identifier, with no visible authentication, authorization, or binding to the current caller. If the backend honors this directly, an attacker who can guess or supply another user's identifier may enumerate or access that user's monitoring history.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The implementation goes beyond a simple real-time pet alerting tool: it submits videos or URLs for backend processing and supports retrieval/export of prior results. This mismatch increases security and privacy risk because users and reviewers may not expect persistent storage, retrospective querying, or exportable analysis artifacts from the described functionality.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented API endpoint and response schema are materially inconsistent with the skill's declared purpose of pet restricted-area warning. Instead of pet-behavior detection, it describes face detection and health/constitution diagnosis, indicating either a mismapped backend or undeclared secondary processing of human biometric and sensitive health-like data from uploaded household videos. In a home monitoring context, this greatly increases privacy and misuse risk because users may submit indoor videos expecting pet alerts while the service analyzes people.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The response format explicitly includes human face detection and medical-style diagnosis content, which expands functionality far beyond pet behavior alerting. This is dangerous because indoor pet-monitoring videos often capture residents and visitors, so undocumented biometric analysis and health inference can expose highly sensitive personal data and create serious privacy, compliance, and trust issues.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
The implementation is a generic video/file analysis and report-listing wrapper, which materially exceeds the declared pet restricted-area warning scope. Scope drift like this is dangerous because it can enable broader surveillance or arbitrary content analysis under a misleading manifest, weakening user consent, review accuracy, and policy enforcement.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code accepts arbitrary http/https URLs and forwards them for analysis, which expands the skill from local pet-monitoring into unrestricted remote video processing. This is risky because it can be abused to analyze third-party or sensitive remote content without clear authorization boundaries, contrary to the stated home pet warning purpose.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file exposes generic network helper methods for arbitrary POST, PUT, GET, and DELETE operations, which is broader than the declared pet-monitoring purpose of the skill. In an agent-skill context, such reusable outbound HTTP primitives can be repurposed to contact unexpected endpoints or perform unauthorized remote actions, increasing the attack surface and enabling capability creep beyond monitoring and alerting.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The add, edit, delete, and http_put methods support remote state-changing operations that are not obviously necessary for a skill described as monitoring restricted pet behavior and issuing alerts. If these methods are reachable by the agent or other skill components, they could be abused to modify remote resources or trigger unintended side effects on backend systems.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The module defines a generic user table that stores usernames, email, birthday, age, tokens, and open tokens, which is significantly broader than what a pet restricted-area warning skill appears to need. Collecting and persisting identity and authentication-token data in an unrelated skill expands the attack surface and creates unnecessary privacy and credential-compromise risk if the local database is accessed or reused by other components.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This utility performs authenticated API setup, token management, and account provisioning logic that is far broader than a pet restricted-area warning skill needs. Embedding generic cross-platform account creation and privileged request handling in shared helper code increases the chance that the skill can act on behalf of users or backend services without explicit consent, expanding the blast radius if abused or misconfigured.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The helper silently calls a phoneLogin endpoint with openId/mobile derived from a username and can auto-register a user with silent=1 and register=1. That enables account creation or login without clear user interaction in this file, which is dangerous because a pet-monitoring skill should not implicitly provision identities or bind identifiers behind the scenes.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code persists and reuses token and profile data via DAO operations, even though that behavior is unrelated to the stated pet-alerting function. Storing and rehydrating tokens in shared utility code increases the risk of unauthorized API use, token leakage, and lateral functionality beyond the skill's declared purpose.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatically saving uploaded attachments or video files to local storage without a clear warning or consent creates an undisclosed data retention risk. Pet-monitoring videos can contain home interiors, people, and routines, so silent persistence increases privacy exposure if files are later accessed, retained too long, or stored insecurely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Sending real-time alerts and on-site snapshots to user terminals and maintaining cloud-accessible history involves transmission and storage of potentially sensitive in-home imagery, yet the description lacks a clear privacy notice. Without explicit disclosure, users may not understand that images of their home environment and occupants could be uploaded, retained, and later queried.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API doc instructs users to upload video files or provide publicly accessible video URLs but gives no warning about privacy, transmission, retention, or third-party access risks. For a home pet-monitoring skill, submitted videos are likely to contain private household scenes, people, routines, and interiors, so the omission can lead to unsafe handling of sensitive footage and uninformed user consent.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill reads full local file contents and uploads them to an external analysis API, but this code shows no user-facing notice, consent prompt, or data-handling disclosure. That creates a privacy and compliance risk because users may believe analysis is local or limited to pet alerts while sensitive video data is actually transmitted off-device.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This file transmits sensitive identifiers and request payload data, including mobile/openId-derived fields, authorization headers, and pnaUserName, to remote endpoints without any visible user-facing disclosure or consent handling. In the context of a home pet-monitoring skill, hidden transmission of identity-linked data is especially concerning because users would reasonably expect camera alerts, not silent backend identity operations.

Missing User Warnings

High
Confidence
98% confidence
Finding
The helper silently creates or logs in a user account via a network call without warning or confirmation. That is dangerous because it can establish backend identity and access state outside user awareness, which is disproportionate to the advertised pet-monitoring functionality and could be abused to impersonate or enroll users unexpectedly.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal