ClawHub

Phi Phi4

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for installing and using a local Ollama fleet router, with broader APIs disclosed but no hidden execution or credential behavior found.

Install this only if you intend to run the broader ollama-herd local router, not just a single Phi model shortcut. Review the ollama-herd package source, use an isolated Python environment where practical, keep the service bound to trusted interfaces, and treat prompts, uploaded audio/files, and ~/.fleet-manager logs as potentially sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is presented as a narrow Phi-family local serving capability, but the document also advertises broader fleet features including other model families and unrelated modalities. This scope mismatch can mislead users and security reviewers about what the skill exposes, increasing the risk of unexpected access to additional inference endpoints and capabilities.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Including image-generation endpoints in a Phi-model skill expands the operational scope beyond the declared purpose and may expose users to undisclosed model execution paths. Hidden or poorly documented modality expansion is dangerous because operators may enable the skill assuming only text LLM behavior while additional generation APIs are actually available.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The transcription API is unrelated to the stated Phi-model purpose and introduces another data-processing surface that may handle sensitive audio inputs. Users expecting only local text inference may unknowingly expose recordings or enable speech-processing features that were not part of the declared trust boundary.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Advertising embeddings in a Phi-specific serving skill broadens the available APIs beyond the represented functionality. While lower risk than arbitrary code execution, this still creates a documentation-to-capability mismatch that can lead to unreviewed data processing and incorrect assumptions about the deployed service.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
The guardrails emphasize confirmation for model downloads and deletion, but they do not establish equivalent safety boundaries for the additional APIs advertised elsewhere in the file. This can create a false sense of safety by implying the whole skill is tightly controlled when only a subset of actions is explicitly constrained.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal