Back to skill

Security audit

kami-suspicious-person

Security checks across malware telemetry and agentic risk

Overview

This face-surveillance skill is mostly coherent, but it needs Review because it stores biometric data and can send face snapshots to external services, including an under-disclosed public image-host fallback.

Install only if you have authority and consent to run face-recognition monitoring on the cameras involved. Prefer local-only operation or tightly controlled Feishu/Discord/Telegram destinations, avoid the Feishu path without app credentials because it may upload snapshots to sm.ms, protect config.json/logs/face_db/alerts as sensitive data, set retention/deletion rules, and pin or verify dependencies and model downloads before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The setup script fetches and installs tooling from the network at install time, including a Python runtime via uv, which introduces a supply-chain trust boundary and arbitrary code execution risk if the remote source or transport path is compromised. While bootstrapping dependencies can be operationally justified for this skill, doing so by dynamically installing external tooling is still dangerous because it executes unaudited remote content on the host.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill description says alarms are output to stdout, but the code also writes snapshots and alerts to disk and sends them to Feishu, Discord, and Telegram. That mismatch is security-relevant because operators may deploy the skill expecting local-only behavior while it actually exfiltrates surveillance data and credentials-driven notifications to external services.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code uploads face snapshots of detected strangers to the public anonymous image host sm.ms. In a surveillance/face-recognition skill, this is especially dangerous because it transfers biometric imagery to an unrelated third party without necessity for core detection and without strong access control, retention guarantees, or user awareness.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The code silently downloads model files from a remote URL at runtime when they are missing. This expands trust to an external server and creates supply-chain risk, especially since there is no integrity verification such as hashes or signatures before the models are extracted and used.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents persistent storage of face snapshots and transmission of alerts to external services, but it does not clearly warn about the sensitivity of biometric data, retention risks, consent requirements, or access control expectations. In a surveillance/face-recognition skill, this omission can lead operators to deploy privacy-invasive monitoring and exfiltrate sensitive images or identifiers without adequate safeguards.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill lacks a clear, upfront warning that it performs face recognition surveillance, stores face snapshots, and may transmit alerts, images, and credentials to external services. Because biometric data is highly sensitive, insufficient disclosure materially increases privacy and security risk and undermines informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script persists face embeddings to a local pickle database without any explicit notice, consent flow, retention controls, or guidance about handling biometric data. In the context of a surveillance skill that detects unknown people in sensitive areas, storing biometric identifiers increases privacy, compliance, and misuse risk because the database can be retained, copied, or repurposed for identification beyond the original use case.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Piping a downloaded installer script directly into sh executes remote code immediately without inspection, integrity verification, or pinning to a known-good artifact. This creates a direct remote code execution path if the upstream server, DNS, TLS trust chain, or download path is tampered with.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script downloads a model archive from the network and extracts it into the skill directory, creating a supply-chain risk and potential file overwrite risk if the archive contents are malicious or unexpected. Although model download is more aligned with the skill's face-recognition purpose than the uv installer, the lack of integrity verification and constrained extraction still makes this unsafe.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code saves face snapshots to disk automatically when an alert is triggered, but there is no visible user-facing consent, warning, or retention control in this file. Because these are biometric surveillance artifacts, silent persistence increases privacy, compliance, and breach exposure if the host is later accessed or backed up.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code transmits alert-related data and potentially face imagery to external services without explicit warning in the code path or the stated skill behavior. In the context of stranger detection and face recognition, undisclosed external transmission is particularly sensitive because it involves biometric and surveillance data that users may reasonably expect to remain local.

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
Confidence
92% confidence
Finding
onnxruntime

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
Confidence
97% confidence
Finding
opencv-python-headless

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
Confidence
95% confidence
Finding
numpy

Unpinned Dependencies

Low
Category
Supply Chain
Content
onnxruntime
opencv-python-headless
numpy
requests
Confidence
94% confidence
Finding
requests

Known Vulnerable Dependency: opencv-python-headless — 10 advisory(ies): CVE-2019-14493 (NULL Pointer Dereference in OpenCV.); CVE-2019-9423 (Out-of-bounds Write in OpenCV); CVE-2019-14491 (Out-of-bounds Read in OpenCV) +7 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
opencv-python-headless

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
87% confidence
Finding
numpy

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.