Back to skill

Security audit

Child Window/Balcony Climbing Detection | 儿童攀爬窗户/阳台识别

Security checks across malware telemetry and agentic risk

Overview

This skill performs child-safety video analysis through external cloud services, but it also silently provisions or reuses identities and stores authentication tokens, which needs user review before installation.

Install only if you are comfortable with child/home videos or URLs being sent to LifeEmergence cloud endpoints, reports being available through cloud history, and the skill creating or reusing a local/remote identity with cached tokens. Check whether your deployment has guardian consent, retention controls, and a way to delete local database records and cloud reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
79% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
78% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises significant capabilities including shell execution, file access, environment access, and networking, but does not declare permissions or boundaries. That creates a transparency and governance gap: users and hosting systems cannot accurately assess what the skill may access or transmit, which is especially risky because the skill handles sensitive child video data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents a local real-time child safety detector, but the actual behavior appears to send data to remote backend services, query historical reports, create or reuse local identities, and authenticate against platform services. This mismatch is dangerous because operators may provide highly sensitive children's videos under false assumptions about local processing, retention, alerting, and identity handling.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill documentation broadens scope from live safety detection into cloud-hosted historical report lookup and report-link retrieval, which introduces extra data access and retention surfaces. In a child-safety context, historical reports and linked artifacts may expose sensitive imagery and behavioral records beyond what a user expects from a simple alerting skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Although the skill is described as analyzing footage from fixed local cameras, it also accepts arbitrary network URLs that a remote API will fetch. This expands the trust boundary, can cause sensitive content to be transmitted off-device, and may enable abuse of backend fetch functionality against unintended resources if input validation is weak.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code accepts arbitrary http(s) video URLs and forwards them for analysis, which expands the skill from local/fixed-camera child-safety monitoring into a generic remote video fetch capability. This can enable privacy abuse, unauthorized analysis of third-party streams, and potentially server-side fetching of attacker-controlled URLs, especially risky given the sensitive child-monitoring context.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is described as child window-climbing detection, but this file implements a reusable user-account DAO with identity and token handling unrelated to that purpose. This scope mismatch increases the risk of unnecessary collection and persistence of user/account data, broadening the attack surface without clear functional justification.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The model stores personal profile fields and authentication-related tokens (email, birthday, real name, token, open_token) even though the stated skill purpose does not justify this data processing. In a home child-safety camera context, collecting unrelated identity and token data materially raises privacy and compromise impact if the local database is exposed.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The utility layer performs remote account provisioning, token retrieval, token caching, and authenticated API setup that are unrelated to the declared child-window-climbing detection purpose. This creates hidden identity and network side effects: simply using request helpers can trigger registration/login behavior and persistent token handling, expanding the skill's privilege and data exposure far beyond what users would expect from a safety-monitoring skill.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code silently creates or reuses default user identities, including persistent local storage and generation of synthetic usernames, even when no explicit user identity was provided. In the context of a child-safety monitoring skill, hidden identity creation is unnecessary and risky because it can enable undisclosed tracking, attribution, or backend account linkage without informed consent.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The workspace and agent-context discovery logic inspects environment variables and filesystem layout to determine current agent roots, data directories, and skills directories. While this is not overtly malicious, it exceeds the needs of child-window-climbing analysis and can facilitate broader access to agent-local data and installation surfaces, increasing blast radius if other components misuse these paths.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill handles highly sensitive recordings of children and may transmit videos and snapshots to cloud or API services, yet it does not clearly warn users about that data flow where the feature is introduced. In this context, omission is particularly dangerous because users may assume on-device processing and unknowingly expose minors' images, locations, and behavior to remote systems.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill reads the full contents of a local video file and transmits it for analysis without any visible disclosure, consent check, or minimization in this code path. In a child-window safety skill, these videos are likely highly sensitive household recordings, so silent exfiltration to an analysis backend creates meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
71% confidence
Finding
The code automatically creates a local SQLite database on initialization without any user-facing disclosure. That is not inherently malicious, but in this skill context it silently introduces local persistence, which matters because the same module also stores user identity and token information.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The code silently alters the schema of an existing local database at runtime, adding user-related columns without notice. In this context, that can expand what personal data is retained and processed without operator awareness, which is risky for a child-monitoring skill deployed in a home environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads an internal identity value from data/smyx-api-key.txt and uses it as an open-id source without any visible disclosure, prompt, or consent. This is dangerous because a local workspace file can silently influence remote identity selection, causing unexpected account binding or data association behind the user's back.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The helper automatically sends login/registration data to a remote endpoint with silent and register flags enabled, without any user-facing disclosure. This is particularly risky because it can create remote accounts and transmit identifiers in the background, which is unrelated to the skill's stated child-safety function and undermines user expectations and privacy.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
94% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2