Back to skill

Security audit

Basic Object Detection Skill | 基础目标检测技能

Security checks across malware telemetry and agentic risk

Overview

This skill does object detection through a cloud API, but it also silently creates or reuses an identity, stores tokens locally, and can retrieve cloud history, so it should be reviewed before installation.

Install only if you are comfortable sending surveillance images/videos or URLs to the configured lifeemergence.com cloud services, having the skill silently bind actions to a local/generated identity, storing service tokens in a workspace SQLite database, and allowing keyword-triggered retrieval of cloud-stored history reports. Use a separate workspace and avoid sensitive footage unless the publisher's retention and account controls are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation instructs use of network access, shell execution, local file reads/writes, and environment-backed behavior, but no corresponding permissions are declared. This creates a transparency and governance gap: a reviewer or runtime may treat the skill as low-risk while it can still access cloud APIs, save files locally, and invoke scripts.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as basic object detection, but the documentation expands it into cloud-based historical report querying and report-link retrieval. This scope expansion increases data-access surface beyond the user-expected analysis task and can expose prior records tied to a user or tenant context.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
Claims of continuous tracking and alert triggering exceed the stated basic detection scope and may cause operators to over-trust the skill's authority or automation level. While largely documentation-driven, this mismatch can mask additional integrations or actions not obvious from the declared purpose.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
Automatically saving uploaded attachments locally goes beyond a detection-only expectation and introduces data-retention risk for potentially sensitive surveillance media. Even if done for processing convenience, undocumented local persistence broadens exposure in case of host compromise or mishandling.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatic internal identity initialization, fallback to a local default user, and reuse across tasks are not necessary for basic object detection and create cross-session/account confusion risks. This can cause report access or submissions to be silently associated with the wrong identity, enabling unintended data exposure or tenant mixing.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file documents pet health analysis APIs while the skill metadata describes a basic object-detection surveillance skill. This mismatch is dangerous because it can cause an agent or integrator to invoke unrelated sensitive health-analysis functionality, leading to unintended data handling, privacy issues, and confused-deputy behavior if the wrong backend is trusted or exposed.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill includes a hidden listing capability that retrieves analysis records by OpenID, which is unrelated to the advertised purpose of analyzing supplied media. Because the option is suppressed from normal help text and tied to an internal identity concept, it creates a risk of undisclosed data access or enumeration of prior analysis records.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This file implements a broad generic network/CRUD client, including add, edit, delete, and arbitrary HTTP GET/POST/PUT/DELETE wrappers, which materially exceeds the stated purpose of a basic object-detection skill. In a surveillance-oriented skill, unnecessary remote-control and data-transfer capabilities expand the attack surface, enable misuse for unintended backend operations, and make it harder to constrain what data leaves the environment.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The get_user_by_username capability introduces user-account lookup behavior that is not justified by a basic object-detection skill. In this context, it creates an unnecessary path for accessing identity-related information, which can support user enumeration, privacy violations, or lateral expansion into account-centric workflows unrelated to detection.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
This skill includes a full local user/account database layer, including table creation, schema mutation, and CRUD for user records, despite the declared purpose being basic object detection. The mismatch increases the risk of covert data collection, unnecessary persistence of user information, and expansion of the attack surface beyond what users would reasonably expect from a surveillance detection skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The User model stores identity fields and authentication-like secrets such as token and open_token without any evident justification from the object-detection use case. Persisting such sensitive data in a local SQLite database broadens the consequences of file disclosure or local compromise and suggests collection of credentials or session material unrelated to the advertised function.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility layer performs account lookup, implicit login/registration, token acquisition, and token persistence even though the advertised skill is basic object detection. That is a significant scope mismatch: invoking a surveillance-related skill may silently create or bind remote user identities and store authentication material locally, creating privacy, consent, and credential-handling risks.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code generates synthetic default open-id values, searches local state for reusable identities, and persists a default identity for future reuse without explicit user action. In the context of a basic object detection skill, silently assigning identities can misattribute actions, obscure accountability, and enable undisclosed tracking across sessions or services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill auto-triggers cloud history-report queries tied to an internal identity, but the description lacks a clear privacy warning or user-consent boundary. Users may believe they are only requesting detection help while the skill fetches potentially sensitive historical records from a remote service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states uploaded attachments are automatically saved locally without a clear warning about persistence, retention, or storage location. For surveillance images and video, this is privacy-relevant because sensitive media may remain on disk longer than users expect.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill sends user-supplied media paths or URLs to a backend analysis service without clearly warning the user that their data will be transmitted off-box. In a surveillance context, media may contain sensitive footage, so silent transfer can violate user expectations, privacy requirements, or handling policies.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script initializes and uses an internal OpenID mechanism without visible disclosure to the user, while also suppressing the related CLI argument from help output. Hidden identity binding in a tool that handles surveillance analysis increases the risk of undisclosed attribution, access to account-linked records, or privacy-sensitive backend operations performed under an internal user context.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
When a local path is provided, the skill reads the entire file and sends its contents to the remote analysis API, but this file contains no user-facing disclosure, consent gate, or safety warning about that transfer. In a security-surveillance context, uploaded images or videos may contain sensitive personal or location data, so silent transmission increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool sends a local file path or remote URL to an external analysis backend via skill.get_output_analysis without any explicit consent, warning, or privacy notice at the point of use. In a surveillance/object-detection context, inputs may contain sensitive footage, location data, or internal URLs, so silent transmission can expose confidential information to another service or trust boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads an internal identity value from a workspace file and uses it as a fallback caller identity with no user-facing notice. This can cause silent identity reuse, leak operational assumptions about the environment, and undermine user consent and transparency when the skill is invoked.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code automatically performs network-based user creation/login and then persists tokens locally without a user-facing warning. This creates undisclosed external data transmission and credential storage behavior that is unrelated to the expected function of object detection, increasing privacy and account security risk.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
93% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
|---|---|
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 支持格式:视频支持 mp4/avi/mov 格式,图片支持 jpg/png/jpeg 格式,最大 10MB |
| 🧑‍⚖️ 结果性质 | 分析结果仅供安防管理参考,具体处置请按单位相关规定执行 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能用技能本身的脚本 |
| 🌐 网络地址 | 传入的网络地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载 |
| 📁 格式支持 | 当显示历史检测报告清单的时候,从数据 json 中提取字段  作为超链接地址,使用 Markdown 表格格式输出,包含" |
Confidence
81% confidence
Finding

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: "basic-object-detection-analysis"
description: "Detects people, vehicles, non-motorized vehicles, pets, and parcels appearing in the target area. Supports video stream and image detection, suitable for general security surveillance scenarios. | 基础目标检测技能,检测出目标区域内出现的人、车、非机动车、宠物、包裹,支持视频流和图片检测,适用于通用安防监控场景"
version: "1.0.8"
license: "MIT-0"
---
Confidence
78% confidence
Finding
description:; ‍

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2