ClawHub

Universal Data Model for the next generation of AI-driven smart spaces

Security checks across malware telemetry and agentic risk

Overview

This skill is a local template generator for a smart-space JSON data model, with no evidence that it captures camera, microphone, credentials, or network data.

Install this if you want a local JSON template generator for smart-space state modeling. Run it from a directory where creating or replacing s2_primitive_data/primitive_6_elements_template.json is acceptable, and review any real-world sensor or control values you later add before giving the template to agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

High
Confidence
87% confidence
Finding
The manifest explicitly states that camera recording is excluded for privacy, while the associated static finding indicates the skill actually captures an image from the webcam. That mismatch is security-relevant because it misrepresents sensitive device access to users and reviewers, undermining informed consent and potentially enabling covert collection of visual data in a smart-home or spatial-computing context.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The generated schema makes strong privacy claims such as 'no camera recording' and 'records disabled' while still modeling microphone monitoring and video stream source fields. Even though this code does not itself capture audio or video, the contradictory design can mislead downstream integrators, users, or agents into treating monitoring-related capabilities as privacy-safe, increasing the risk of covert surveillance features being enabled or normalized.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal