ClawHub

今日水印相机-照片验真

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed photo-verification integration that sends user-provided public photo URLs to the stated provider API, with some privacy and packaging caveats to review.

Install only if you are comfortable sending public photo URLs to openapi.xhey.top and showing returned capture time/location metadata to your agent. Keep the API secret in environment variables, use limited credentials where possible, do not submit private/internal or presigned image links, and remove or disable verbose logging before using the bundled Feishu implementation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The debug logger emits the full execution context and form parameters, only masking `groupSecret` but still exposing attachment metadata, request context, and potentially temporary photo URLs in logs. In a skill whose stated purpose is narrowly limited to authenticity verification and claims not to retain image-related data, this creates unnecessary secondary storage of sensitive data that may be accessible to operators, support staff, or other logging systems.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code behavior contradicts the privacy expectations set by the skill description: although it says photo data is not retained or forwarded beyond verification, the debug path logs context and request-related details, and later logging also captures external API responses. Even if raw image bytes are not logged, temporary attachment URLs and verification results can still reveal sensitive photo metadata such as capture time and geolocation, effectively retaining sensitive information in logs.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The tool returns the submitted photo URLs and extracted metadata such as GPS coordinates, address, and capture time in its output, which increases exposure of sensitive user data beyond the minimum needed to perform verification. In a photo-authenticity skill, these fields can reveal precise location history and operational details, and the behavior is in tension with the privacy claims in the skill description.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The tool is annotated with readOnlyHint: true, but it performs POST requests that create remote verification tasks on an external service. This mismatch can cause an orchestrator or user to treat the action as non-mutating and lower-risk than it really is, leading to unintended external side effects and data disclosure.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"start": "node mcp_server.js"
  },
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.10.0",
    "zod": "^3.23.0"
  },
  "engines": {
Confidence
89% confidence
Finding
"@modelcontextprotocol/sdk": "^1.10.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.10.0",
    "zod": "^3.23.0"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
89% confidence
Finding
"zod": "^3.23.0"

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.10.0 — 3 advisory(ies): CVE-2026-25536 (@modelcontextprotocol/sdk has cross-client data leak via shared server/transport); CVE-2026-0621 (Anthropic's MCP TypeScript SDK has a ReDoS vulnerability); CVE-2025-66414 (Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protec)

High
Category
Supply Chain
Confidence
98% confidence
Finding
@modelcontextprotocol/sdk==1.10.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal