ClawHub

心理压力评估技能

Security checks across malware telemetry and agentic risk

Overview

This skill may perform the advertised stress analysis, but it handles sensitive face and mental-health data with unclear identity, history, credential, persistence, and API-scope boundaries that need human review.

Install only after reviewing the provider and data-handling terms. Treat uploaded videos/images, open-id values, usernames, phone numbers, report history, generated report links, and cached tokens as sensitive. Do not use it on other people without consent, avoid real phone numbers unless the provider is trusted, and resolve the dependency/config concerns before deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes local scripts, reads configuration files, saves uploaded files locally, and calls remote APIs, yet it declares no permissions. This mismatch hides powerful file, shell, network, and environment access from reviewers and users, making unauthorized data access or exfiltration easier to overlook—especially problematic given the biometric and mental-health context.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to read local configuration files to obtain an api-key/open-id before performing analysis. Accessing unrelated local config data expands the skill's reach beyond its stated purpose and can expose secrets or personal identifiers from the workspace without clear necessity or user awareness.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation describes a pet health analysis API while the skill metadata claims human psychological stress assessment. This kind of domain mismatch is dangerous because it can cause an agent or integrator to invoke the wrong backend, mis-handle sensitive health data, and produce unsafe or misleading outputs in a mental-health context.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function is described as user-specific but ignores the supplied open_id and calls skill.get_output_analysis_list() without any visible filtering or authorization binding. In a mental-health assessment context, this can expose other users' stress/anxiety/depression analysis history, making the privacy impact especially severe because the data is sensitive health-related information.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documented endpoint and response schema describe a generic/common analysis service returning traditional constitution and organ-condition diagnosis, which is materially different from the advertised psychological stress assessment capability. This kind of scope mismatch is dangerous because it can mislead integrators into sending sensitive mental-health video data to an API that performs unrelated processing, undermining informed consent, trust, and safe handling of highly sensitive biometric data.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The response fields shown in the documentation do not match the skill's claimed purpose of analyzing stress, anxiety, and depression tendencies; instead they present unrelated diagnosis content. In a mental-health monitoring context, this inconsistency is especially dangerous because users and developers may rely on false claims about what the system measures, producing deceptive health-related outputs and invalid downstream decisions.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill claims to perform psychological stress assessment, but this service also exposes generic record-management capabilities including listing, adding, editing, paging, and deleting records. That creates unnecessary attack surface and indicates the implementation can manipulate backend resources beyond the narrowly described analysis purpose, which is risky for a mental-health skill handling sensitive data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The delete method allows resource deletion by camera serial number, which is unrelated to the stated purpose of analyzing stress, anxiety, and depression tendencies. In a mental-health monitoring context, this mismatch is especially concerning because it could be used to tamper with or remove monitoring records or associated device data, impacting integrity and availability of sensitive assessment workflows.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill accepts arbitrary http/https URLs and forwards them to a backend analysis API without any allowlisting, scheme hardening, or user-facing constraints. In this context, the manifest describes mental-health video analysis, so broad remote URL ingestion expands the skill's effective capability and may enable unintended fetching of third-party or internal resources by the downstream service, as well as privacy-sensitive processing of externally hosted videos.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill exposes report-listing and report export URL generation functionality beyond simple stress analysis, which materially broadens access to historical sensitive mental-health results. Because these reports may contain highly sensitive biometric and psychological inferences, exposing enumeration/listing and direct export-link construction can increase the risk of unauthorized access or excessive data disclosure if access control is weak elsewhere.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file exposes generic HTTP helpers (`http_post`, `http_put`, `http_get`, `http_delete`) that can send requests to arbitrary URLs, which is broader than the stated purpose of psychological stress assessment. In an agent skill context, this expands the attack surface for unintended data exfiltration, SSRF-style access to internal services, or use of the skill as a general network proxy, especially if higher-level code passes user-controlled URLs or payloads.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The presence of generic CRUD-style methods (`add`, `edit`, `delete`) enables remote state-changing operations unrelated to an analysis-only mental health monitoring skill. Even though these are wrappers, they normalize arbitrary modification actions and could be abused by surrounding code to alter external resources, increasing the risk of unauthorized writes or destructive operations if endpoints or parameters are attacker-controlled.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill claims to perform psychological stress assessment, but this file implements a generic user-account persistence layer with profile and token fields. That creates an unjustified data-collection surface and expands the skill's capabilities beyond its declared purpose, increasing privacy and abuse risk if deployed in a mental-health context.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The model stores authentication-like material (token, open_token) together with sensitive personal profile data in a skill focused on mental-health analysis. In this context, unnecessary token retention can enable account/session compromise and magnifies the privacy impact of any local database exposure.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This utility file contains broad HTTP, token, account, and retry logic that materially exceeds the stated purpose of a psychological stress assessment skill. In a mental-health context, bundling unrelated backend access and account-management behavior increases the attack surface and makes it harder for users and reviewers to understand what data is being transmitted and why.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code automatically creates or logs in a user by sending identifiers such as mobile/openId to a health endpoint when tokens are absent, without any visible consent gate in this file. For a mental-health monitoring skill, silent account provisioning tied to personal identifiers is especially sensitive because it can create unintended accounts, expand data collection, and link assessment activity to an identity.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill processes highly sensitive biometric signals and infers stress, anxiety, and depression tendencies, but the description does not clearly warn users about mental-health profiling, data sensitivity, or downstream risks. In this context, missing informed-consent language materially increases the chance of covert or non-consensual processing of protected personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill says uploaded attachments will be automatically saved as local files, but it provides no upfront notice about file handling, retention, or deletion. Silent local persistence of sensitive face images or videos increases exposure to unauthorized access, reuse, or later leakage from the host environment.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill requires a username or phone number as an open-id for report storage/querying without a clear privacy disclosure about collecting and linking personal identifiers to mental-health assessment results. Combining direct identifiers with sensitive psychological inferences raises significant privacy, misuse, and compliance risks if users are not fully informed.

Missing User Warnings

High
Confidence
90% confidence
Finding
The tool submits media for psychological-stress analysis to an external service without an explicit privacy notice or consent flow, despite handling highly sensitive biometric and mental-health-related data. In this context, silent transmission can lead to unauthorized disclosure, regulatory noncompliance, and misuse of intimate personal information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API accepts uploaded videos and public video URLs, which are likely to contain biometric and potentially mental-health-related data, but the documentation provides no warning about privacy, retention, consent, or secure transmission expectations. In this context, omission of such notice increases the risk of unauthorized sharing of highly sensitive personal data and noncompliant collection practices.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill reads arbitrary local file contents into memory and uploads them to a remote analysis service, but this code shows no user-facing disclosure, confirmation, or minimization controls. Given the skill's mental-health monitoring context and the sensitivity of biometric video data, silent transmission of local files can expose highly sensitive personal information and create consent, privacy, and compliance risks.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill forwards user-supplied remote video URLs for analysis without visible disclosure that third-party hosted content will be fetched and processed by an external service. In a mental-health assessment workflow, this creates privacy and consent concerns and may cause users to submit content they do not control or are not authorized to process.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The CLI requires a sensitive identifier via --open-id and stores it in a global runtime constant without any privacy notice, minimization, masking, or validation. In a mental-health assessment context, linking stress, anxiety, or depression results to a direct user identifier increases privacy risk, re-identification risk, and the likelihood of mishandling regulated or highly sensitive personal data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The debug log prints the full `prompt`, which may contain sensitive mental-health-related data, user inputs, or analysis context. In this skill's context, that is more dangerous than usual because the skill processes stress, anxiety, and depression indicators, so logs could expose highly sensitive personal data to operators, log aggregation systems, or other tenants.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal