ClawHub

Topview

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Topview media-generation skill, but it needs review because it handles credentials and user media while its network disclosures are not fully accurate.

Before installing, be comfortable linking a Topview account, storing credentials locally, uploading selected media and voice samples to Topview or its storage providers, and spending credits. Avoid sensitive or third-party biometric media unless you have consent, use webhook URLs only when you control them, and confirm any board or voice deletion explicitly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Tainted flow: 'OAUTH_BASE_URL' from os.environ.get (line 28, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def cmd_login(args) -> None:
    """Full login flow: init device code → open browser → poll until done."""
    try:
        resp = requests.post(
            f"{OAUTH_BASE_URL}/api/device/init",
            json={
                "client_id": CLIENT_ID,
Confidence
98% confidence
Finding
resp = requests.post( f"{OAUTH_BASE_URL}/api/device/init", json={ "client_id": CLIENT_ID, "scope": DEFAULT_SCOPE, },

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions while clearly requiring environment access, local file read/write, shell execution, and network access. This undermines least-privilege review and informed consent because operators may install or trust the skill without understanding that it can read local files, persist credentials, and execute scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The metadata claims all network calls go only to *.topview.ai, but the documented behavior includes presigned S3 uploads, arbitrary media downloads, and potentially user-supplied callback/webhook URLs. This is a material trust-boundary mismatch: reviewers may approve the skill under the assumption of domain confinement when in practice it can send data to or fetch data from non-Topview hosts, increasing exfiltration and SSRF-like risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata says all network calls go only to *.topview.ai, but the implementation permits TOPVIEW_OAUTH_URL to point anywhere and blindly trusts a token_endpoint returned by the remote server. This mismatch is security-relevant because users and reviewers may assume domain confinement while the code can communicate with arbitrary hosts and open arbitrary URLs in a browser during authentication.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script downloads the final video using requests.get(url) on whatever finishedVideoUrl the API returns, with no validation that the host is under *.topview.ai. In an agent context, this creates an SSRF-style outbound fetch / arbitrary network access primitive that contradicts the stated trust boundary and could be abused if the API, response, or upstream service is compromised or spoofed.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script includes broad board-management and task-enumeration capabilities, including listing board details, members, share-related metadata, and deleting boards, which goes beyond the skill’s stated media-generation scope. In an agent context, this unnecessarily expands the action surface and can enable unauthorized discovery or destructive actions if the skill is invoked with user tokens or over-broad permissions.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The script downloads whatever URL the API returns using `requests.get(url)` with no validation that the host is within `*.topview.ai`, even though the skill metadata says network calls are limited to that scope. If the API response is malicious, compromised, or attacker-influenced, this can trigger outbound requests to arbitrary domains and write attacker-controlled content to disk, violating the declared trust boundary.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script downloads a result from whatever URL the API returns via `requests.get(url, stream=True)` without validating the hostname, scheme, or destination. That breaks the stated security boundary that all network calls go only to `*.topview.ai` and creates an SSRF/open-fetch style risk where a compromised API, malicious response, or redirected URL could cause connections to arbitrary hosts, including internal services or unexpected external domains.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The client constructs `url = path` whenever the caller supplies a non-slash-prefixed string, allowing requests to arbitrary destinations rather than enforcing the declared `https://api.topview.ai` scope. Because authenticated headers are attached to these requests, a malicious or compromised caller could exfiltrate the Topview UID and bearer API key to an attacker-controlled host.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
`put_file` uploads file contents to any `upload_url` provided by the caller without validating the destination domain. Even if presigned uploads are expected in this workflow, this expands network egress beyond the manifest claim and can transmit local file contents to arbitrary external infrastructure if the URL is malicious or tampered with.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script downloads `voice.demoAudioUrl` with `requests.get()` and performs no validation that the URL belongs to `*.topview.ai`, despite the skill metadata claiming all network calls stay within that domain. If the API response is compromised, attacker-controlled, or simply returns arbitrary URLs, this creates an SSRF-style outbound request and untrusted content download path that can reach unexpected hosts and write attacker-supplied data locally.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata claims all network calls are limited to *.topview.ai, but download_video() performs requests.get(url, ...) on a URL taken directly from the API response without any allowlist or hostname validation. If the API, a proxy, or returned task data is compromised or malformed, this enables arbitrary outbound requests and breaks the declared trust boundary, creating SSRF-like behavior and unexpected data egress.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script accepts an arbitrary --notice-url and forwards it to the remote API without restricting it to *.topview.ai, contradicting the skill's stated network boundary. In an agent setting, this can be abused to exfiltrate task metadata or trigger server-side callbacks to attacker-controlled infrastructure, expanding network reach beyond the declared trust domain.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The README promotes privacy-sensitive capabilities such as voice cloning and credential setup without any visible warnings about consent, handling of biometric/audio data, or safe storage of API credentials. In this skill context, that is more dangerous because the advertised workflows involve uploading personal portraits, cloning voices, and setting persistent secrets, all of which can lead to privacy abuse or credential exposure if used casually.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to submit prompts and local/reference images to the Topview API but does not clearly warn that this content may be transmitted to an external service. This creates a real privacy and data-handling risk because users may provide sensitive prompts or image files without realizing they are leaving the local environment and being processed remotely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly encourages passing local image and audio paths and supports a user-supplied webhook URL, but it does not clearly warn that these files and callback data are transmitted to an external third-party service. This can lead users to unknowingly send sensitive media or internal endpoints off-host, increasing privacy, data-handling, and SSRF-like callback risks depending on how notice URLs are consumed by the backend.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation states that board detail output includes members and share tokens, but provides no warning that share tokens are sensitive secrets that can grant access to board content. In an agent context, this increases the chance the agent will retrieve, display, log, or pass these tokens to downstream tools or users unnecessarily, causing unintended disclosure.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill documents board deletion as a routine command without any warning, confirmation step, or safety guidance for destructive actions. In an autonomous or semi-autonomous agent workflow, this can lead to accidental deletion of user data or results if the command is invoked from ambiguous prompts or mistaken board IDs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation encourages users to provide local image paths and a webhook URL but does not warn that these inputs cause user content and callback metadata to be transmitted to an external Topview service. In a media-generation skill, uploaded images may contain sensitive personal, commercial, or biometric data, and webhook endpoints can expose internal infrastructure details or leak task results to unintended destinations if users are not clearly warned.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation allows `--image` to be a local path but does not warn users that the file will be uploaded to Topview's external service for processing. This can lead to unintended disclosure of sensitive local images or metadata, especially because the examples encourage passing local filenames directly and the skill is explicitly network-backed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly allows local image/video paths in arguments that are auto-uploaded to the external Topview service, but it does not clearly warn users that selecting a local path causes transmission of local files off-host. In a skill that handles media generation, this is contextually plausible behavior, but the missing disclosure creates a real risk of unintended exfiltration of sensitive local media or metadata.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The documentation states that generated videos can be downloaded to an output directory, but it does not clearly disclose that the tool will write files to local disk. This is lower severity than network exfiltration, but it can still surprise users, create privacy or storage issues, and overwrite or persist sensitive generated content in unintended locations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation promotes cloning voices from local audio and deleting cloned voices without any explicit warning that uploaded audio may contain biometric identifiers, copyrighted performances, or third-party personal data, and without reminding the agent to obtain consent before submission. In an agent setting, this omission increases the chance that users or automation will upload privacy-sensitive samples or perform destructive deletion without confirmation, leading to privacy harm, misuse of voice impersonation capabilities, or accidental data loss.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script can automatically download remote image URLs into a user-specified local directory and writes files without an explicit confirmation or overwrite-safety check. While this is expected functionality for an image client, it can still surprise an agent/user by creating local files and potentially overwriting existing ones if predictable filenames collide.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The --notice-url parameter is inserted directly into the task body and sent to the service, enabling callbacks to arbitrary external endpoints without any warning or restriction. This can cause task metadata and completion events to be disclosed to third parties, and in an agent environment it may be used to exfiltrate information through an attacker-controlled webhook.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal