Back to skill

Security audit

Aggressive Behavior Detection | 畜禽争斗行为识别

Security checks across malware telemetry and agentic risk

Overview

The skill broadly matches its livestock video-analysis purpose, but it silently manages local identities, registers/logs in to an external service, and persists tokens while sending media or URLs to remote APIs.

Install only if you are comfortable with barn media or remote video URLs being sent to LifeEmergence services and with the skill creating or reusing a local identity, reading a local smyx API key file if present, and storing service tokens in a workspace database. Review retention, account ownership, and who can access historical reports before using it with sensitive farm footage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
77% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
77% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities that include shell execution, network access, local file reads/writes, and implicit identity handling, yet no explicit permissions are declared. This creates a transparency and governance gap: an agent may invoke sensitive operations without a clearly scoped permission model, increasing the risk of over-privileged execution and unexpected data access.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest presents the skill as a behavior-detection tool, but the body also instructs cloud-based historical report retrieval and generation of report links. This mismatch can mislead policy engines and users about the skill's real data flows, causing unreviewed network retrieval and exposure of report metadata beyond the declared purpose.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill claims internal identity values are never exposed, but it also documents automatic creation and reuse of a default local user identity. Persisting and silently reusing a fallback identity can cause cross-session or cross-user data mixing, especially for history lookup, undermining access separation even if the raw identifier is not shown to the user.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script exposes report-history listing through `show_analyze_list()` and the `--list` flag even though the manifest describes only video aggression detection. Hidden or undocumented functionality increases security risk because users and reviewers may not realize the skill can enumerate prior reports, which can leak sensitive operational data if access controls are weak or misapplied.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code initializes an internal user identity via `OpenIdUtil.resolve_current_open_id(...)` and then uses `ConstantEnum.CURRENT__OPEN_ID` to retrieve historical reports. In a skill whose stated purpose is simple video analysis, introducing hidden identity resolution and report access materially raises the risk of unauthorized data access, cross-user report enumeration, or privilege confusion, especially because the identity parameter is suppressed from help text.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill accepts arbitrary HTTP(S) URLs and forwards them for backend analysis without any allowlist, scheme/domain restriction, or clear boundary that only trusted video sources should be used. This expands the skill from local barn-video analysis into network retrieval, which can enable unintended access to internal or sensitive URLs through downstream services and violates least-functionality expectations from the manifest.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file exposes a generic HTTP/CRUD wrapper layer (`add`, `edit`, `delete`, `http_get`, `http_post`, `http_put`, `http_delete`) that is far broader than the stated purpose of detecting aggressive livestock behavior from barn video. In an agent-skill context, such unrestricted network and mutation primitives can be repurposed to access arbitrary endpoints, modify remote resources, or act as a general-purpose proxy, increasing abuse potential well beyond the declared functionality.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The `get_user_by_username` capability introduces user-account lookup functionality unrelated to the skill's declared video behavior analysis purpose. Even if intended for integration convenience, it expands the skill into identity/data access territory and may enable user enumeration or access to personal information when exposed through an agent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The utility creates or reuses persistent user identities and stores authentication material in local state, which is unrelated to the stated purpose of aggression detection from barn video. This expands the skill from analysis into identity provisioning and account persistence, creating unnecessary credential-handling risk and enabling hidden cross-session tracking or unauthorized API use.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code reads an identity value from a workspace file and falls back to local database records to resolve a user identity without any connection to aggression-detection analysis. Pulling credentials or identity context from local files and databases behind the scenes can silently impersonate a user and cause data to be sent under the wrong identity.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The HTTP helper automatically logs in or registers users against external services and populates tokens for later requests, which exceeds the declared scope of livestock behavior analysis. In context, this is especially risky because a video-analysis skill has no obvious need to provision remote accounts, so the behavior is unexpected and can enable unauthorized outbound access tied to local identities.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger conditions include broad behavioral keywords and auto-trigger logic that may activate the skill unexpectedly when users discuss aggression-related topics. Unintended activation can lead to unnecessary file handling, network calls, or history queries without sufficiently clear user consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs automatic saving of uploaded attachments to local storage without a user-facing warning or retention policy. Silent persistence of user-provided media increases privacy risk, expands the local attack surface, and may retain sensitive operational footage longer than users expect.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill reads local file content or accepts remote video URLs and sends them to an analysis backend, but this file provides no user-facing disclosure, consent step, or data-handling notice before transmission. For barn video feeds, this can expose operationally sensitive footage, location details, or third-party hosted resources without clear user awareness, creating privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
A sensitive identity value is read from data/smyx-api-key.txt without any visible disclosure, warning, or consent flow. Even if intended for convenience, silently consuming local identity material is dangerous because users may not realize the skill is binding their actions to stored credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The request wrapper attaches usernames and authentication tokens to outbound HTTP requests without any user-facing disclosure in this code path. Hidden transmission of identity and auth material is risky because it can expose user context to external systems and makes consent, auditing, and least-privilege enforcement difficult.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
90% confidence
Finding
requests.post(_url, json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2