ClawHub

trackup food analyze

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward food analysis helper that sends user-selected food images or keywords to disclosed deepeat.ai APIs.

Install only if you are comfortable sending selected food images, image URLs, base64 image data, and food-search keywords to deepeat.ai for processing. Avoid private or identifying photos unless you accept third-party processing, and delete temporary /tmp image payload files after use when the image is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to send food images to external production APIs but provides no privacy notice, consent step, or warning that image contents leave the local environment. Because images can contain sensitive information or metadata, this omission can cause unintended disclosure of personal data to a third-party service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The local image workflow shows how to base64-encode a local file and submit it to a remote endpoint, but it does not warn that the resulting payload contains the full image contents and will be uploaded off-device. This increases the risk of accidental exfiltration of sensitive local files under the guise of routine image analysis.

External Transmission

Medium
Category
Data Exfiltration
Content
Request example:

```bash
curl --silent --show-error --location \
  'https://deepeat.ai/step.aispark.api.API/SearchFood' \
  --header 'Content-Type: application/json' \
  --data '{
Confidence
84% confidence
Finding
curl --silent --show-error --location \ 'https://deepeat.ai/step.aispark.api.API/SearchFood' \ --header 'Content-Type: application/json' \ --data

External Transmission

Medium
Category
Data Exfiltration
Content
Call full food analysis directly:

```bash
curl --silent --show-error --location \
  'https://deepeat.ai/step.aispark.api.API/AnalyzeWholeFood' \
  --header 'Content-Type: application/json' \
  --data-binary @/tmp/food_image.json
Confidence
98% confidence
Finding
curl --silent --show-error --location \ 'https://deepeat.ai/step.aispark.api.API/AnalyzeWholeFood' \ --header 'Content-Type: application/json' \ --data-binary

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal