Back to skill

Security audit

kami-conflict-detection

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for conflict detection, but it needs Review because it handles sensitive camera footage and includes under-scoped public image upload and installer supply-chain risks.

Install only if you are comfortable with camera frames leaving the device for Kami analysis and alert destinations. Avoid the Feishu sm.ms fallback unless every person and location being monitored is covered by your privacy/legal controls; prefer Feishu app upload, Discord/Telegram attachments, or a private image store. Treat config.json as secret material, restrict file permissions, remove unused ultralytics, pin dependencies, and verify the uv installer and model bundle before running setup on a production machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README explicitly documents a fallback that uploads conflict snapshot images to the public third-party host sm.ms when Feishu inline image credentials are not provided. Because these snapshots come from camera feeds and may depict people in violent incidents, sending them to an external public image host materially expands data exposure and can leak highly sensitive surveillance content beyond the intended alerting channel.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill uploads locally captured conflict snapshots to sm.ms, an unrelated public third-party image host, when Feishu app credentials are absent. In a surveillance/conflict-detection skill, this creates a serious privacy and data-exfiltration risk because camera images of people may be published outside the primary service boundary without strong user awareness or control.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill auto-downloads a model bundle from the internet and extracts it into the skill directory at runtime. Even though the file is an ONNX model rather than traditional executable code, this still introduces supply-chain and integrity risks because a compromised hosting endpoint or tampered download could alter detector behavior or exploit parser/runtime weaknesses.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The setup script performs network installation steps beyond simple local environment preparation by installing uv and a portable Python runtime. While this is likely intended to make setup easier, it expands the trust boundary to external infrastructure and executes additional code not inherent to conflict detection itself.

Description-Behavior Mismatch

Low
Confidence
83% confidence
Finding
The script downloads and extracts a remote model bundle into the skill directory, modifying local files in a way that is not clearly disclosed by the manifest excerpt. This creates supply-chain and transparency risk because remote content is trusted and written into the runtime environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Piping a remotely fetched script directly into sh gives the remote server immediate code execution on the user's machine during setup. If the source is compromised, intercepted, or changed unexpectedly, arbitrary commands can run without review, which is especially dangerous in an installer path.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README recommends storing the Kami API key and webhook/bot credentials in config.json for persistence, but does not warn that these are sensitive secrets or advise on file permissions, secret rotation, or avoiding source control. This can lead operators to leave reusable credentials in plaintext on disk, where they may be exposed through backups, logs, misconfigured permissions, or accidental commits.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README describes continuous surveillance, event clip export, snapshot capture, and transmission to external services without any privacy, consent, retention, or legal-compliance warning. In a camera-monitoring context, omission of data-handling safeguards increases the risk of misuse, overcollection, and unauthorized disclosure of footage involving identifiable individuals.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The analyzer converts camera frames to base64 and sends them to a remote API for conflict classification, but the code provides no user-facing disclosure, consent gate, or minimization control. In a surveillance context, silently transmitting live camera imagery of people to an external service is highly sensitive and materially raises privacy, compliance, and data-handling risk.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Conflict snapshots may be uploaded to Feishu, Discord, Telegram, or even the public sm.ms host without a clear user warning that captured images of people are leaving the device. Because this skill handles physical-conflict surveillance data, the context makes undisclosed image sharing especially dangerous.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill silently downloads and writes model files to disk on first run without explicit user notice. This is lower severity than image exfiltration, but it still affects transparency, trust, and supply-chain posture in a detection-focused skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs remote code execution via a fetched installer without a clear, explicit warning or consent step describing that network content will be downloaded and executed. This reduces user awareness and makes accidental trust of dangerous setup behavior more likely.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The setup script downloads a model archive and modifies files under the skill directory without a strong upfront warning about network transfer and filesystem changes. Although common for ML skills, silent downloads and extraction still increase supply-chain and transparency risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
Confidence
95% confidence
Finding
onnxruntime

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
ultralytics
Confidence
98% confidence
Finding
opencv-python-headless

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
ultralytics
Confidence
97% confidence
Finding
numpy

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
ultralytics
Confidence
95% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
opencv-python-headless
numpy
requests
ultralytics
Confidence
99% confidence
Finding
ultralytics

Known Vulnerable Dependency: opencv-python-headless — 10 advisory(ies): CVE-2019-14493 (NULL Pointer Dereference in OpenCV.); CVE-2019-9423 (Out-of-bounds Write in OpenCV); CVE-2019-14491 (Out-of-bounds Read in OpenCV) +7 more

High
Category
Supply Chain
Confidence
85% confidence
Finding
opencv-python-headless

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
72% confidence
Finding
numpy

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

Known Vulnerable Dependency: ultralytics — 1 advisory(ies): PYSEC-2024-154 (A number of releases of ultralytics contained malicious crypto miner software.)

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
ultralytics

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.