ClawHub

S2 SSSU Origin Alignment Brain (S2 空间原点对齐与孪生大脑)

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it bundles origin alignment with robotics control-plane behavior that needs careful review before use.

Install only if you intend to evaluate a local robotics/control-plane prototype, not a narrow alignment helper. Keep it isolated from real robots and home devices until you add operator approval gates, scoped network access, privacy and retention rules for sensor/geolocation data, and tests confirming the safety paths actually run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (29)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file implements behavior well beyond the stated origin-alignment purpose: a pseudo-physics state engine plus persistent ledger logging. Excess, undocumented capability increases attack surface and can enable unauthorized data persistence or misleading downstream automation, especially if other components trust ledger entries as authoritative state.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The Monte Carlo-style optimization routine is an unjustified capability for an origin-alignment skill and represents scope creep. While not directly dangerous by itself, it can consume resources, create opaque decision logic, and provide a foothold for hidden or repurposed behavior inconsistent with the declared function.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Writing generated Markdown records to a ledger introduces persistent side effects not justified for pure spatial-origin alignment. Markdown/log injection risks arise if actor or action fields are attacker-controlled, and durable logging can leak operational context or poison downstream consumers that render or parse these entries.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements a broad governance/control plane—visa validation, access control decisions, safety isolation, and audit logging—that materially exceeds the stated origin-alignment purpose. In an agent skill, this kind of scope expansion is dangerous because it grants authority over robot behavior and operational policy without clear justification, increasing the chance of abuse, unintended shutdowns, or hidden policy enforcement.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill contains robot access-control and safety-enforcement logic that is unrelated to 2D/Z-axis origin alignment, creating an unjustified privileged control path. This is dangerous because a seemingly narrow alignment module could deny actions, constrain movement, or alter robot operating state under the guise of a different function.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The embedded global context includes owner sleep state, restricted room labels, and cached radar-map intelligence, which resemble occupancy and surveillance data unrelated to origin alignment. Exposing or using this data in an alignment skill increases privacy risk and creates an opportunity to infer sensitive household behavior and protected spaces.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation claims 'no direct actuator manipulation,' but the code actively revokes visas and issues a soft-halt/isolation action that changes robot behavior. This mismatch is dangerous because it obscures the true power of the skill, undermines review, and can cause operators to grant trust to a component that can still interrupt or immobilize systems.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The pipeline performs external side effects unrelated to its stated 2D origin-alignment role, including ledger writes and environmental negotiation. This kind of scope expansion increases privilege and attack surface: a navigation/alignment component can trigger external state changes and consume sensitive credentials, making misuse or hidden behaviors harder to detect and govern.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The added generative sandbox introduces a new powerful capability—spatial state generation—that is not justified by the stated purpose and is injected directly into the navigation pipeline. In a robotics context, generated physical-state outputs can influence downstream decisions, logs, or coordination systems, creating opportunities for unsafe actions, hidden behavior changes, or unauthorized simulation-driven control effects.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The duplicated class redefines the original implementation and claims the first four safety-relevant steps remain unchanged, but they are actually omitted. This can silently disable boundary scanning, fusion checks, collision handling, and negotiation logic, leading reviewers or operators to believe protections exist when the executing class no longer enforces them.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code claims to write changes to an 'immutable ledger', but it only appends entries to a mutable in-memory list without hash chaining, persistence, or tamper detection. This can mislead downstream systems or operators into trusting audit data that can be modified or lost, undermining integrity and forensic value.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The implementation materially exceeds the declared skill purpose by wiring in visa management, navigation, and generative simulation capabilities. This kind of scope drift is dangerous because it can bypass operator expectations, approval boundaries, or policy checks that rely on the manifest to understand what the skill is allowed to do.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
`REQUEST_VISA` introduces an access-control issuing function in a skill described as doing spatial origin alignment. Hidden privilege-management behavior is risky because consumers may invoke or approve the skill without realizing it can mint or broker access to protected grids or resources.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
`NAVIGATE_STEP` performs active robot-navigation execution and processes physical-state inputs, which is significantly more safety-sensitive than origin alignment. In a robotics context, undocumented actuation-related behavior increases the chance of unsafe movement, misuse, or deployment in environments where only passive coordinate transformation was expected.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
`TRIGGER_MICRO_SIMULATION` adds a generative simulation pathway not disclosed by the manifest. Even if not directly actuating hardware, hidden simulation capability can be abused to consume resources, influence decision-making, or produce outputs that downstream systems trust without realizing their origin.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The presence of a generative sandbox in an alignment-focused skill is unjustified by the stated purpose and expands the attack surface unnecessarily. In this context, unnecessary generative/runtime components are more dangerous because the skill operates in a robotics/spatial domain where extra capabilities can affect planning, safety, and trust boundaries.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The header text openly advertises capabilities broader than the manifest, reinforcing that the module's true behavior does not match its declared purpose. Documentation and manifest mismatches are security-relevant because reviewers, users, and automated policy systems may rely on the narrower description and miss higher-risk functionality.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The implementation does not perform the safety-critical behaviors promised by the skill metadata and manifest: there is no Z-axis reduction logic, no origin alignment to a main entrance anchor, and no global 2D translation. Instead, it runs a narrow front-sector scan in the sensor's local frame, which can cause downstream agents or operators to trust spatial outputs that are misaligned with the intended coordinate system and safety model. In a spatial-navigation skill, this mismatch can lead to incorrect obstacle interpretation, unsafe motion decisions, or policy bypass through incomplete environmental coverage.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This module materially diverges from the advertised skill behavior: it implements generic sensor-fusion collision prediction but does not perform the promised Z-axis reduction, 2D grid translation, or main-entrance origin alignment. In an agent system that relies on the manifest to compose spatial reasoning safely, this mismatch can cause downstream components to trust outputs as origin-aligned when they are not, leading to unsafe navigation or control decisions.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The function returns raw sensor input under the field name current_aligned_state and even comments that it preserves an aligned state, which is misleading. Consumers may treat unprocessed sensor data as spatially normalized or safety-checked state, causing incorrect reasoning, policy bypass, or unsafe actuation based on false assumptions about coordinate alignment.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implemented behavior materially diverges from the declared skill purpose: instead of Z-axis reduction and 2D entrance-anchor alignment, it performs peer signature checks and right-of-way arbitration for mobile agents. This kind of capability mismatch is dangerous because it can hide undeclared control logic inside a skill that operators may grant broader trust to based on the manifest, enabling unauthorized coordination or traffic-control decisions in a robotics context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill reads a PKI root from the environment and uses it to gate peer trust, even though that cryptographic validation capability is unrelated to the stated origin-alignment function. Undeclared security-sensitive behavior increases attack surface and can be abused to influence trust decisions or conceal unexpected network-control functionality within an innocuous-seeming skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs agents to submit continuous sensor and kinematic telemetry, including lidar and motion data, without any mention of consent, minimization, retention, access control, or safe handling. In a robotics and smart-home context, this data can reveal room layout, occupancy patterns, and device behavior, creating real privacy and safety risks if collected or transmitted insecurely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
A sensitive credential (`visa_token`) is used in an external negotiation call without any evident disclosure, minimization, or guardrails. Even if not directly logged here, embedding credential-backed external actions inside a navigation routine increases the chance of unintended network use, privilege abuse, and opaque data flows from a component whose stated purpose does not require it.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly requires binding an indoor origin point to precise WGS84/CGCS2000 coordinates, which can reveal the exact physical location of a residence or facility. In the context of a spatial-twin/origin-alignment skill, this creates a direct privacy and physical-security risk because indoor maps become linkable to a real-world address without any consent, minimization, or access-control requirements.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal