ClawHub

卫星云图

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it fetches a public satellite cloud image, saves a small local cache, and returns the image to the user.

Install only if you are comfortable with it downloading from the disclosed satellite-image URL and keeping recent images in a local OpenClaw cache. Use trusted package sources for the OCR and image-processing dependencies, and invoke it explicitly when you want a satellite cloud image.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill description states it will automatically download the latest satellite cloud image and send it to the user, which implies network access and likely temporary file handling, yet no permissions are declared. This mismatch weakens security review and consent boundaries because the runtime capabilities exceed the declared trust surface, making it harder to audit or restrict the skill appropriately.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description uses broad keyword-based activation such as '云图' and '天气图', which can cause the skill to trigger on general weather requests rather than explicit satellite-image requests. This is primarily a scope/UX security issue: unintended activation may cause the agent to fetch remote content or return irrelevant data when the user did not clearly ask for this capability.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The execution condition says to run when the user expresses a need to view cloud maps or similar intent, but it does not define clear boundaries for what counts as a qualifying request. In an agent environment, this ambiguity can lead to accidental invocation, unnecessary network access, and reduced user control over tool execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal