ClawHub

无人陪伴监测技能

Security checks across malware telemetry and agentic risk

Overview

This skill is framed as elderly unattended monitoring, but its bundled code and data handling expand into sensitive remote video, identity, token storage, and unrelated face/health analysis behavior that need review before use.

Install only after verifying the publisher, the remote API operator, and the exact data contract. Require explicit consent from the monitored person or authorized caregiver, confirm where video and identifiers are sent and retained, remove or explain the face/health-analysis modules, avoid config-file credential reuse as open-id, and ensure local token storage/logging is acceptable for your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (29)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read local/workspace config files to obtain an open-id or api-key, which creates a path for unauthorized credential harvesting from the broader workspace. That is especially risky because the same skill also has network and shell capabilities, enabling those discovered secrets to be used for backend access or exfiltration unrelated to the user's immediate request.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation claims care reminders are sent to family members, but the operational flow only covers analysis and report retrieval. This is dangerous because it can create false assurance in a safety-critical elder-care context, leading users to believe an alerting workflow exists when no direct notification may actually occur.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The analysis request injects a pet-related parameter into a skill described as elderly unaccompanied monitoring, indicating probable code reuse or hidden cross-domain behavior. In a sensitive elder-care context, sending semantically unrelated parameters can misroute data, trigger incorrect model logic, or leak contextual information to a backend not intended for this use case.

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The inline comment explicitly documents pet-type behavior that conflicts with the declared elderly-care purpose, which is a strong indicator of copy-paste reuse or misconfigured functionality. In safety-relevant monitoring, such inconsistencies can lead to wrong inference paths, operational mistakes, and reduced trust in whether the skill handles elder data appropriately.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The README documents a face-analysis health diagnostic skill, while the declared skill metadata is for monitoring whether an elderly person living alone has gone without interaction and notifying family members. This mismatch is dangerous because it can conceal the true capabilities of the skill, mislead reviewers and operators about what data is collected, and enable unexpected collection or transmission of sensitive biometric/health data in a safety-critical elder-care context.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The documented API performs face analysis and returns health/diagnosis-style outputs that are unrelated to the stated purpose of monitoring whether an elderly person living alone has had interaction or visitors. This kind of capability mismatch is dangerous because it can hide undeclared collection and inference of biometric and health-related data, expanding the skill far beyond user expectations and creating significant privacy and compliance risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The API claims to infer organ condition, constitution, and health warnings from facial video, which is highly sensitive and not justified by an elderly no-interaction monitoring use case. This is dangerous because it introduces unsupported or deceptive health inference from biometric data, which can mislead caregivers and expose users to privacy harms, discriminatory processing, and regulatory violations.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file configures endpoints for face/health analysis workflows that do not match the declared purpose of elderly-alone monitoring. This kind of capability mismatch is dangerous because it can hide undeclared collection or processing of sensitive biometric/health data, creating privacy, consent, and supply-chain trust risks for users and integrators.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The comment explicitly describes a traditional Chinese medicine face-diagnosis analysis tool, which contradicts the stated elderly-monitoring function. In context, this increases concern that the skill may be repurposed, mislabeled, or bundled with undisclosed medical-analysis functionality, undermining reviewability and informed consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation materially diverges from the declared skill purpose: instead of monitoring elderly isolation and sending family care reminders, it performs TCM face-analysis on uploaded video. This is dangerous because operators and users may grant access, data, or trust under false assumptions, leading to unauthorized collection and processing of sensitive biometric/health-adjacent data in a context that appears unrelated to the manifest.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The history-list feature retrieves face-analysis records rather than elderly monitoring events or reminder workflows described by the skill metadata. This mismatch can mislead users and reviewers about what data is being stored and surfaced, increasing the risk of improper access to unrelated sensitive records.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The function signature suggests results should be scoped to a provided open_id, but the implementation ignores that argument entirely and calls a generic list method. If the backend method is not internally scoped, this can expose other users' analysis history, creating an access-control and privacy violation involving potentially sensitive biometric or health-related records.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation is materially inconsistent with the declared skill purpose: instead of monitoring unaccompanied elderly interaction and notifying family members, it uploads videos/files and retrieves face-analysis reports. In a remote-care context, this kind of capability mismatch is dangerous because users may provide sensitive elder video data under false assumptions about what the skill does, creating privacy, consent, and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill adds a general-purpose AI-agent invocation path that is unrelated to the stated elderly-monitoring function, expanding capability beyond its declared scope. Even though the current subprocess execution is commented out, this code is designed to forward arbitrary prompts to an external agent and could be enabled later or reused elsewhere without proper review, creating unnecessary attack surface and possible data exfiltration risk.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The function documentation claims it invokes an external agent, but the implementation uses a dummy result object and then accesses stderr/stdout attributes that do not exist on a dict. This mismatch is dangerous because it obscures actual behavior, causes runtime errors, and can hide whether sensitive prompts are truly being transmitted or whether the feature is a stub that may later be enabled without adequate security controls.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This utility performs remote user creation/login and persists returned tokens, which is functionality far beyond a simple elderly monitoring/reminder helper. In this skill context, silently establishing accounts and storing credentials increases the attack surface, enables unauthorized account linkage, and can expose users to privacy and account misuse risks if the helper is invoked unexpectedly.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The default trigger condition is broad enough to activate on generic monitoring-analysis requests, which can cause the skill to run and upload sensitive home surveillance inputs without sufficiently specific user intent. In a privacy-sensitive elder-care setting, overbroad triggering increases the chance of unnecessary processing, remote transfer, or report generation for intimate in-home data.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The automatic history-query trigger uses broad phrases that may invoke retrieval of historical monitoring reports without a sufficiently specific request or re-authentication step. Because those reports concern in-home elder monitoring and may include links or sensitive metadata, accidental triggering can expose private records to the wrong conversation context or user.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill involves continuous in-home video/sensor monitoring and sharing alerts or reports with family members, yet the description lacks an explicit privacy warning and consent framing. This is particularly dangerous because the monitored subjects are elderly individuals in a home environment, making the data highly sensitive and the risk of surveillance overreach, unauthorized sharing, and regulatory noncompliance much greater.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to upload local or remote video to an API endpoint for face analysis but does not warn that videos may contain sensitive biometric and health-related information or explain transmission, retention, and third-party processing risks. In an elder-care setting, this is more dangerous because the likely subjects are vulnerable individuals, making uninformed collection and transfer of facial video especially privacy-sensitive.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to upload videos or provide public video URLs for face analysis without any warning about handling biometric and health-sensitive data. In the context of elderly home monitoring, this is especially risky because it encourages transfer of intimate household footage and facial data without clear notice on consent, retention, sharing, or secure transmission requirements.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The CLI requires an OpenID/UserId/username/phone number without any disclosure about how that identifier will be transmitted, stored, or linked to analysis results. In a skill handling face videos and analysis history, this increases privacy risk because sensitive identifiers can be correlated with biometric and health-adjacent data without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends a local video path or URL to a remote analysis capability through skill.get_output_analysis without explicit disclosure that user media will be transmitted off-device. Because face videos are highly sensitive biometric data, hidden network transmission materially increases privacy and compliance risk, especially when the skill is presented as something else in the manifest.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends either a local file's full contents or a remote video URL to an analysis API without any visible user-facing disclosure, confirmation, or consent gate in this path. Because the skill processes face/video data in an elderly-care context, silent transmission of biometric and health-adjacent information materially increases privacy and compliance risk if users do not understand where their data is going.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The configuration hard-codes a specific tenant code ("XIAN_ZHAO_GAN_ZHI") with no indication that tenant selection is derived from authenticated user context or explicit user choice. In a remote elderly-care monitoring skill, tenant scoping affects which organization, users, or care recipients are addressed, so a fixed tenant can cause cross-tenant data routing, misdirected reminders, or unauthorized access if the skill is reused outside that intended deployment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal