ClawHub

职场玩手机智能监测技能

Security checks across malware telemetry and agentic risk

Overview

This skill is a workplace video-monitoring tool, but it bundles under-disclosed face/health analysis code and stores authentication tokens locally after silent account setup.

Review before installing. Only use this with explicit workplace notice, legal/HR approval, and a clear data-processing agreement. Do not provide employee footage, phone numbers, usernames, or API keys unless you accept remote processing and local token storage. The publisher should remove or separately disclose the face/health-analysis component, narrow dependencies, document retention and deletion, and make account creation/token persistence explicit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (30)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The README describes a Traditional Chinese Medicine face-diagnosis skill that analyzes health status from facial video, which materially conflicts with the manifest claim that this skill detects employee phone usage. This kind of capability mismatch is dangerous because it can mislead reviewers and users into enabling a skill that processes biometric and health-related data under false pretenses, bypassing appropriate consent, policy review, and data-governance controls.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented workflows, inputs, and outputs center on uploading local or remote face videos to an API and receiving structured diagnostic reports, not on real-time or image-based phone-use detection and counting. This expands the risk beyond simple mislabeling: operators may unknowingly send sensitive facial data to external services while expecting a workplace-behavior analytics tool, creating serious privacy, compliance, and trust issues.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The referenced API document is materially inconsistent with the stated skill purpose: it describes face analysis and returns health and constitution-style diagnosis rather than employee phone-usage detection. This kind of capability mismatch is dangerous because it can conceal undisclosed biometric and health inference processing behind a seemingly narrower workplace-monitoring function, leading to privacy, compliance, and misuse risks.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Health and physiognomy-style outputs such as organ condition, complexion correspondence, and constitution analysis are unjustified for a workplace phone-usage monitoring skill and indicate sensitive inference from facial/video data. Such processing can enable discriminatory profiling, pseudoscientific decision-making, and collection of special-category biometric or health-related data without a legitimate need.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file contents clearly configure face/health-analysis endpoints and labels, which materially contradict the skill manifest claiming employee phone-usage monitoring. This kind of capability mismatch is dangerous because it can conceal undeclared biometric or health-processing behavior behind an unrelated description, defeating user consent, review, and policy controls.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The header comment explicitly states this is a TCM face-diagnosis analysis configuration file, directly conflicting with the declared phone-usage monitoring purpose. In security review, such contradiction is a strong indicator of mislabeled or repurposed code, which increases the risk of hidden collection or processing of sensitive facial and health-related data.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation calls a face-analysis workflow and presents the feature as traditional Chinese face diagnosis, which materially contradicts the declared employee phone-usage monitoring purpose. This kind of capability mismatch is dangerous because it can cause operators to collect and transmit sensitive biometric/health-adjacent data under a false pretext, defeating user consent, policy review, and least-privilege expectations.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The CLI and help text advertise face-diagnosis and video-history behavior that conflicts with the manifest's stated phone-usage monitoring function. Misleading interfaces are a security issue here because they obscure the actual data processing performed, increasing the chance of unauthorized collection, improper deployment, and failed security/privacy review.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation is for face/health analysis and report export, while the skill metadata claims it monitors employee phone usage. This mismatch can cause users to submit images or videos under false pretenses, leading to unexpected collection, processing, and export of sensitive biometric and health-related data. In this context, the discrepancy materially increases privacy and compliance risk because face/health data is more sensitive than the declared phone-usage monitoring function.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The inline documentation explicitly describes fetching face-diagnosis report lists, contradicting the manifest's phone-monitoring purpose. This reinforces that the skill may expose or retrieve unrelated sensitive medical/biometric reports, creating a deceptive data-handling path and increasing the chance of unauthorized access or misuse.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file exposes generic HTTP helpers (GET/POST/PUT/DELETE) that will send requests to caller-supplied URLs with no apparent restriction to approved endpoints or to the phone-usage monitoring feature set. In an agent/skill context, this creates unnecessary arbitrary network capability that can be repurposed for exfiltration, pivoting to internal services, or contacting unrelated remote systems.

Context-Inappropriate Capability

Medium
Confidence
77% confidence
Finding
The CRUD-style wrappers (list/add/edit/delete) provide broad remote resource management primitives rather than narrowly implementing the advertised computer-vision monitoring function. Even if intended as convenience code, such generic management operations expand the attack surface and can be abused by higher-level code to manipulate arbitrary backend resources unrelated to the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The module defines a shared user table that stores authentication-related secrets such as token and open_token, even though the advertised skill is phone-usage monitoring. This data minimization failure increases privacy and credential-exposure risk, especially in a workplace surveillance context where collecting unrelated account data is more sensitive and harder to justify.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This shared utility performs broad outbound HTTP access, token handling, and user/account provisioning that are not necessary for a phone-usage detection skill. In this context, embedding a general-purpose network/auth layer expands the skill's capability beyond its declared purpose and creates a channel for unauthorized data transmission, account manipulation, and hidden service interaction.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code automatically logs in or registers users via /sys/phoneLogin, retrieves tokens, and persists them locally through the DAO path without explicit consent. For a skill advertised as computer-vision monitoring, silent identity provisioning and credential storage are out of scope and dangerous because they can create accounts, bind identities, and retain reusable authentication material.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code contains an undisclosed payment/recharge workflow triggered by HTTP status 402, including instructions to install another payment skill. This exceeds the manifest's stated behavior and can be used to steer users into unexpected financial actions or cross-skill interactions that they did not intend.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The history-report trigger phrases are broad enough that ordinary user language may unintentionally activate report-listing behavior. In a skill handling employee-monitoring records, accidental activation can disclose sensitive historical reports or metadata without a clear, deliberate user request.

Missing User Warnings

High
Confidence
91% confidence
Finding
The skill processes workplace surveillance images/videos and sends them to an API service, but the description does not prominently warn users about external transmission of employee monitoring media. This is dangerous because it can lead to covert handling of highly sensitive personal data, creating privacy, compliance, and consent risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions allow sourcing the operational open-id from configuration files or user identifiers, but this is not clearly disclosed to users. That can result in unexpected use of local configuration secrets or personal identifiers during report storage/query flows, undermining informed consent and safe credential handling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states that the skill uses a cloud vision AI service to analyze office images and video, but it does not prominently warn that workplace imagery containing employees will be transmitted to a remote provider. In a surveillance context, this omission can mislead deployers about where sensitive employee data is processed, increasing the risk of privacy violations, unlawful monitoring, and improper third-party data sharing.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill promotes workplace behavioral surveillance of employees' phone usage and frames it as a management/compliance tool without clearly restricting use to justified, proportionate, consented, and jurisdiction-appropriate scenarios. Because this targets employee behavior in privacy-sensitive settings, vague compliance language at the end is insufficient and may enable intrusive or unlawful monitoring, unfair disciplinary use, and chilling effects on workers.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script requires an open_id that may be a username, phone number, or other personal identifier, then stores it in a process-global variable and uses it in an employee surveillance context without any notice, minimization, or visible safeguards. In this skill context, that is more sensitive because the tool is explicitly designed to monitor worker behavior, increasing privacy and compliance risk if identifiers are mishandled, logged, or transmitted to backend services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to submit face videos to an API for health-style analysis but does not clearly warn that this involves transmitting biometric and potentially health-related data. In this context, the omission is significant because the skill already appears mislabeled, making it more likely that users will share highly sensitive data without informed consent or an understanding of downstream privacy risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API accepts uploaded videos and public video URLs for face analysis but provides no warning or safeguards for biometric and other sensitive personal data contained in those recordings. In the context of workplace surveillance, this omission increases the risk of unlawful collection, over-retention, insecure sharing, and secondary use of employee video data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The analysis function forwards a local path or remote URL into an external analysis flow without any visible user warning, consent prompt, or privacy notice, despite operating on video that may contain faces and other sensitive employee information. In this skill context, that is more dangerous because the declared workplace-monitoring use case involves surveillance of employees, making undisclosed external processing of biometric/video data especially sensitive.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal