ClawHub

S2-SP-OS Vision Cast

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks agents to probe LAN devices and route visual content with credentials while consent and scope controls are too loose.

Install only after reviewing the source and limiting use to networks and displays you control. Require explicit confirmation before every scan or visual push, provide the S2 token only when using snapshot push, and do not rely on the claimed encrypted or ephemeral fallback until a real implementation is provided and verified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares only `allowed-tools: [exec]`, but its manifest and instructions clearly require environment-variable access and network activity for scanning target IPs and pushing data. This mismatch reduces transparency and weakens policy enforcement, making it easier for a caller or runtime to grant broader capabilities than users may realize.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The example authorizes access to personal schedule and interest-profile data to decide whether to forward external visual content, which exceeds the stated vision-casting function and normalizes cross-domain use of sensitive personal data. In a casting skill, this creates unnecessary data aggregation and could enable profiling-based decisions or disclosure without explicit user consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation claims pushes require explicit or heuristic authorization, but the examples repeatedly treat contextual inference, presence detection, or inferred benefit as sufficient authorization to send visual data to displays or personal devices. This mismatch is dangerous because it lowers the consent standard for privacy-sensitive content and can justify unauthorized disclosure in shared or personal spaces.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill requires unrestricted `exec` and instructs the agent to run arbitrary Python commands that perform network reconnaissance and data transmission. For a casting/sniffing workflow, this is broader than necessary and creates a path to abuse the host for unauthorized scanning, token misuse, or execution of modified local scripts.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code requires and reads S2_VISION_TOKEN before dispatching any mode, including the sniff mode that only performs local port probing and does not need a token. This is an unnecessary credential access pattern that expands exposure of sensitive environment data and violates least-privilege design.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example describes silently pushing a surveillance-derived pet snapshot to a personal device based on ambient context and token possession, without a clear user-facing warning that privacy-sensitive monitoring data is being transmitted. Even if well-intentioned, this normalizes covert transfer of surveillance content and increases the risk of unauthorized disclosure or misuse of monitored imagery.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example treats possession of an identity token as sufficient basis for a silent visual push, but does not warn the user about credentialed device-to-device transmission or the risks if the token or target selection is wrong. In a skill that routes visual data, silent token-backed delivery expands the blast radius of mistakes and can turn a notification feature into unauthorized exfiltration to personal endpoints.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The description markets a 'universal Protocol Sniffer' and secure fallback in broad terms without clear trigger boundaries, approved target scope, or consent requirements at invocation time. That ambiguity can cause an agent to activate reconnaissance-like behavior in contexts where the user did not explicitly request network probing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly describes scanning target IPs or subnets for open casting ports and transmitting snapshots, yet it does not present a clear user-facing warning about privacy, consent, or the operational impact of probing a network. In context, this is more dangerous because the skill frames sniffing as the default first step, normalizing behavior that can expose device inventory and send data to unintended displays.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide documents active probing of local-network devices by testing well-known ports to infer device type, which is a form of network scanning. Even if limited to a few ports, doing this without explicit user notice, consent, scope limitation, and privacy guidance can surprise users, violate enterprise network policies, and enable unauthorized device discovery in sensitive environments.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill performs active network probing against a target IP by attempting TCP connections to multiple service ports, but there is no user-facing disclosure that a scan will occur. In an agent context, undisclosed scanning is risky because it can surprise users, violate policy expectations, and be repurposed for internal reconnaissance across a LAN.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The code accesses a sensitive token from the environment without any runtime explanation to the user about what is being read or how it will be used. While the token is not exfiltrated in this snippet, silent credential access in an agent skill reduces transparency and makes abuse harder for users to detect.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
print(json.dumps({"error": "SECURITY BLOCK: S2_PRIVACY_CONSENT=1 is missing."}, ensure_ascii=False))
        sys.exit(1)
        
    vision_token = os.environ.get("S2_VISION_TOKEN")
    if not vision_token:
        print(json.dumps({"error": "SECURITY BLOCK: S2_VISION_TOKEN is missing."}, ensure_ascii=False))
        sys.exit(1)
Confidence
91% confidence
Finding
os.environ.get("S2_VISION_TOKEN

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal