ClawHub
Back to skill

Security audit

tencentcloud-faceid-detectface

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it manually sends selected face images or image URLs to Tencent Cloud for face detection, which is sensitive but disclosed and purpose-aligned.

Install only if you are comfortable sending selected face images or image URLs to Tencent Cloud. Use least-privileged Tencent Cloud credentials, process only images you have permission to analyze, avoid optional attribute detection unless needed, and consider pinning the SDK dependency in controlled environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill processes face images and can return sensitive biometric and inferred personal attributes such as age, gender, mask status, and face quality, yet the documentation lacks a clear privacy notice about uploading images to Tencent Cloud and handling sensitive data. That is dangerous because users may provide biometric data without informed consent, and operators may deploy the skill without appropriate legal, policy, retention, or cross-border transfer controls.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits user-supplied face images or image URLs to Tencent Cloud for biometric analysis, but it provides no explicit consent flow, privacy notice, data-handling disclosure, or warning that sensitive biometric data is being sent to a third party. Because facial imagery is highly sensitive personal data, this omission can lead to unintended privacy violations, compliance issues, and unsafe use in agent contexts where end users may not realize external processing occurs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal