ClawHub

本地图片语义搜索

Security checks across malware telemetry and agentic risk

Overview

This is a local image-search skill that broadly scans and indexes local pictures, but its sensitive behaviors are mostly disclosed and match its purpose.

Install only if you are comfortable creating a local searchable index of your images and leaving result files containing search terms and local paths on the Desktop. Before first use, edit SCAN_ROOTS to the folders you actually want indexed, use a virtual environment, and treat image_db and exported result files as private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities that read large portions of the local filesystem, write output files, and may use environment variables, but it does not declare corresponding permissions or present them transparently to the user. This creates a real trust and consent problem because a seemingly simple image-search skill can access many local files and produce persistent outputs without explicit permission signaling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior goes beyond a narrow 'local image search' feature by performing full-disk recursive scans, downloading models from the network, maintaining an index, and writing search results to the desktop. That mismatch is dangerous because users may authorize or invoke the skill under an incomplete understanding of its privacy, persistence, and network effects.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
Expanding from 'local image search' to scanning multiple drive roots materially increases the privacy impact and data-access scope of the skill. Even if intended for indexing, broad recursive disk scanning can expose sensitive personal or enterprise images and is more invasive than users may reasonably infer from the title and short description.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The default configuration enables automatic detection of all available drives, which can cause the skill to index far more local content than a user would reasonably expect from a photo-search feature. In this context, that expands access to sensitive personal or enterprise images across the whole machine and increases privacy risk even without explicit malicious code.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code forces use of a third-party HuggingFace mirror and sets a model cache path, introducing undeclared network dependency and remote artifact retrieval. That is risky because model downloads and metadata requests may leak environment information, create supply-chain exposure, and violate user expectations for a local image-search skill.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script is presented as a local image search/indexing tool, but on first run it may silently fetch model artifacts from the internet. This creates an unexpected data-flow and supply-chain surface: users may believe the tool is fully local, while execution can still initiate remote requests to a model host or mirror.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
If no scan roots are configured, the script enumerates all available drive letters and recursively scans them for images. That behavior is broader than the stated purpose and can expose sensitive personal or enterprise image locations, including mounted removable or network drives, without clear user intent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script is presented as a local image search tool, but it explicitly configures a third-party Hugging Face mirror and falls back to downloading models over the network. This creates an unexpected external dependency, can leak usage metadata/IP information, and weakens the user's trust boundary because a 'local' skill may fetch remote code/artifacts at runtime.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script automatically writes a search-results file to the user's Desktop even though the skill is described as search-only behavior. This can expose sensitive local file paths and search terms in a highly visible location without consent, creating privacy and data-handling risks beyond the expected scope of the tool.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module documentation understates the script's behavior by claiming it only searches local images, while the implementation also downloads models and writes output files. This mismatch is security-relevant because users and reviewers may grant broader trust or permissions based on incomplete documentation, leading to unnoticed network and file-system side effects.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script is presented as a local image search/update utility, but when the model is absent it silently falls back to downloading model artifacts from the network. This expands the trust boundary from purely local processing to remote supply-chain dependencies, creating privacy, integrity, and reproducibility risks that users may not expect in a local-only skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
If roots are not configured, the script enumerates all available drive letters and then scans them recursively for images. That behavior is broader than the stated image-search context and can expose sensitive locations, removable media, or unrelated personal/work files to indexing without explicit user consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to scan multiple local drives and states that search results are saved to the desktop, but it does not clearly warn that this may index sensitive personal or enterprise images and expose filenames/contents in an easily visible location. In a local-image search skill, broad disk scanning is contextually expected, but the lack of explicit consent, scope limitation guidance, and privacy warning makes accidental over-collection and unintended exposure more likely.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The README says the model will be downloaded automatically from a mirror site without clearly notifying users that first run performs external network access and pulls third-party artifacts. While model download is normal for ML tooling, undocumented outbound access and reliance on a mirror increase supply-chain and transparency concerns, especially in restricted or privacy-sensitive environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill lacks a clear privacy warning despite indexing images across multiple drives and writing search results to a visible desktop file. This is dangerous because image paths and semantic matches may reveal sensitive personal information, and users are not adequately warned about the collection, indexing, and persistence of that data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Recursive traversal of all discovered drives performs very broad filesystem access without an explicit warning or consent flow. In the context of a local photo search skill, this increases privacy risk because the script may index images outside the user's expected library, including confidential screenshots, document scans, or images on shared volumes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The model-loading path falls back to downloading from a remote source when local files are unavailable, but the user is only told this at runtime after execution has already begun. This is risky because it can violate offline expectations, disclose environment metadata through outbound requests, and introduce dependency on remote model artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatically persisting search results to the Desktop without prior warning or confirmation is a privacy and surprise-side-effect issue. The saved file includes the user's query and local image paths, which may reveal sensitive personal content and leave residual data on the system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The recursive scan walks all discovered roots for image files with no explicit warning that it may traverse the entire filesystem. In a local assistant skill, that creates an overbroad privacy exposure because filenames and paths from many directories can be collected into an index, including sensitive or unexpected locations.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 图片AI搜索工具 - 依赖列表

# 深度学习模型
torch>=2.0.0
transformers>=4.30.0

# 向量数据库
Confidence
91% confidence
Finding
torch>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 深度学习模型
torch>=2.0.0
transformers>=4.30.0

# 向量数据库
faiss-cpu>=1.7.0
Confidence
91% confidence
Finding
transformers>=4.30.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
transformers>=4.30.0

# 向量数据库
faiss-cpu>=1.7.0
# 或 conda install faiss-cpu(如果pip安装失败)

# 图片处理
Confidence
84% confidence
Finding
faiss-cpu>=1.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 或 conda install faiss-cpu(如果pip安装失败)

# 图片处理
Pillow>=9.0.0

# 进度条
tqdm>=4.60.0
Confidence
90% confidence
Finding
Pillow>=9.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
Pillow>=9.0.0

# 进度条
tqdm>=4.60.0

# 注意:首次运行会自动下载CLIP模型(约340MB)
Confidence
80% confidence
Finding
tqdm>=4.60.0

Known Vulnerable Dependency: torch — 10 advisory(ies): CVE-2025-2953 (PyTorch susceptible to local Denial of Service); CVE-2022-45907 (PyTorch vulnerable to arbitrary code execution); CVE-2025-32434 (PyTorch: `torch.load` with `weights_only=True` leads to remote code execution) +7 more

Critical
Category
Supply Chain
Confidence
94% confidence
Finding
torch

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal