ClawHub

MiVisionForgeSVOR

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud-backed video object removal tool, but users should avoid sending sensitive videos to the remote service.

Install only if you are comfortable sending selected videos and derived masks to the disclosed Xiaomi Tools SVOR endpoint. Use non-sensitive test videos first, protect SVOR_API_KEY like a password, and avoid videos containing private, identifiable, regulated, or confidential content unless you accept the service's data-handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares powerful capabilities in metadata and documented behavior: it requires an API key, writes temporary files, invokes shell-accessible tools such as Python and ffmpeg, and uploads full video content to a remote service. If the platform relies on explicit permission declarations separate from these fields, the missing declaration is a real security issue because users and policy controls may not get a clear, enforceable summary of environment, filesystem, network, and command execution access.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description suggests a video object removal tool, but the implementation uploads the user's local video to a remote endpoint for segmentation. This creates a real privacy and data-governance risk because sensitive media leaves the local environment without prominent disclosure, which is especially important for user-generated video content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The tool uploads local video content to a remote API without an explicit privacy or data-transmission warning at the point of use. For media files, this is dangerous because users may unknowingly transmit sensitive visual data, metadata, or regulated content to third-party infrastructure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The erasure step sends both the video and generated mask to an external service, again without a clear user-facing warning. This compounds the privacy issue because both source content and derived annotations are transferred off-device, increasing exposure and potential misuse risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal