ClawHub

Superpicky Cli

Security checks across malware telemetry and agentic risk

Overview

This is a real SuperPicky photo workflow wrapper, but it needs Review because it downloads mutable upstream code, exposes broad Python execution, and can change photo folders or metadata.

Install only if you trust the upstream SuperPicky project and are comfortable running code fetched during installation. Prefer pinning or reviewing the upstream commit before use, avoid --py except for known trusted helper scripts, and test photo-processing commands on backed-up folders before using reset, restar, organize, --write-exif, or -y.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script advertises three primary entry modes but also exposes a fourth, generic `--py` launcher that can execute any Python file by absolute path or repo-relative path. In an agent skill context, this broadens the executable surface beyond the declared purpose and can let downstream automation invoke unintended maintenance, download, or developer-only scripts, weakening least-privilege expectations.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
`--py` provides arbitrary Python-script execution using the skill's virtual environment, and it accepts absolute paths in addition to repo-relative paths. That effectively turns the wrapper into a generic code launcher, which is risky for agent ecosystems because a caller may be induced to run unexpected scripts outside the stated SuperPicky/BirdID/region-query workflows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents destructive operations such as `reset`, `restar`, and BirdID organize/reset, and explicitly advises using `-y` when appropriate, but does not clearly describe what data is deleted, overwritten, or reorganized. In an agent context this is dangerous because automation may execute irreversible filesystem changes without sufficient user confirmation or scoped safety checks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function prepends the attacker-controlled or unverified .upstream path to sys.path and then imports birdid.avonet_filter, which executes that module's top-level Python code. If .upstream contents are modified, replaced, or sourced from an untrusted checkout, running this CLI will execute arbitrary code locally with the user's privileges, not merely parse data. In this skill context, .upstream is presented as data/source material for automation, so hidden code execution from that directory is more dangerous than a normal library import because users may not expect the query helper to run upstream Python.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This installer clones a remote GitHub repository and immediately creates an execution environment and installs dependencies from that unpinned upstream code. That creates a real supply-chain risk: a compromised repository, branch, dependency, or attacker-controlled REPO_URL/BRANCH input could lead to arbitrary code execution during clone, pip install, or later script execution, and the script does not present a strong user-facing trust boundary warning before doing so.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal