Back to skill

Security audit

Student Classroom Engagement Analysis | 学生课堂情绪参与度分析

Security checks across malware telemetry and agentic risk

Overview

This skill analyzes student classroom video through a remote service, but it also creates and stores a reusable internal user identity and report history despite strong anonymity claims.

Review before installing. Only use this in an environment with explicit school and parent consent, clear data-retention terms, and confidence in the external service operator. Confirm where videos, heatmaps, reports, user identifiers, and tokens are stored, who can access report history, and how to delete local and cloud records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell, network, file read/write, and environment-backed capabilities without declaring any permissions or trust boundaries. That makes review and policy enforcement difficult and hides that the skill can access local state and remote services beyond simple classroom-video analysis.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest describes anonymous engagement analysis, but the documented behavior includes persistent identity creation, token handling, backend history queries, and local storage of user metadata. This mismatch is dangerous because operators may approve or deploy the skill under false assumptions, while it actually performs account-like tracking and broader data access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file claims no identity storage and only anonymous seat-coordinate output, yet the workflow ties reports to a persistent internal identity. In a student-monitoring context, especially involving minors, this undermines anonymity claims and can enable longitudinal tracking of classroom activity tied to a user account.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Automatically creating and reusing a local default user introduces persistent identity and state without explicit need for the stated anonymous analysis purpose. This can silently bind analyses and report history to a durable account, increasing privacy risk and making unauthorized reuse of prior session context more likely.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation simultaneously promises a strong anonymity constraint and describes internal identity handling and persistent report association. This contradiction is especially dangerous for a classroom-surveillance skill because privacy assurances may be relied on by schools, parents, or deployers when processing minors' data.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill advertises anonymous, real-time classroom engagement analysis, but the code initializes hidden internal identity resolution via open_id and exposes a per-user analysis listing path. In an education context involving student emotion/facial analysis, linking records to a user identity materially increases privacy risk, enables tracking beyond the stated purpose, and undermines the anonymity claim.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The user-facing text claims anonymous low-engagement reminders only, while the implementation also supports identity-linked listing through open_id. This mismatch is dangerous because operators may deploy or authorize the tool under false assumptions about anonymity, leading to covert collection or retrieval of sensitive student behavioral data.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill accepts arbitrary HTTP(S) video URLs, which materially expands data sources beyond the stated fixed-classroom-camera use case. In a student-monitoring context, this can enable analysis of external or unauthorized videos, increasing privacy, consent, and policy-bypass risk and potentially allowing server-side fetching of untrusted remote content.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The report listing/history capability indicates retention and later retrieval of prior analyses, which conflicts with the manifest's framing of real-time reminders without identity storage. For classroom facial-expression analysis, retaining accessible history increases the chance of unauthorized review, profiling, or secondary use of sensitive student monitoring data.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Generating exportable report image links suggests analyses can be persisted and shared outside the immediate classroom session. In an educational biometric/affective analysis setting, exportable artifacts can facilitate unauthorized distribution of sensitive engagement and emotional-state inferences about students.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This file implements a generic API wrapper with create, update, delete, listing, and arbitrary HTTP GET/POST/PUT/DELETE methods, which is substantially broader than the narrowly described classroom-engagement function. Such broad network primitives can be reused by the skill or adjacent code to reach unrelated backend endpoints, manipulate remote resources, or exfiltrate data if untrusted inputs influence the URL or request payloads. In a classroom video-analysis context, this is more sensitive because the surrounding system may process student-related data, making overbroad remote access capabilities riskier than necessary.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is described as real-time classroom engagement analysis with no identity stored, yet this shared DAO persists user-account records and related metadata in a local database. That creates an unjustified identity store outside the stated purpose, increasing privacy risk, expanding attack surface, and undermining the skill's data-minimization claim in an education context involving students.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The User model stores username, real name, email, birthday, age, and especially token/open_token fields, none of which are justified by the skill's stated function of anonymous real-time engagement analysis. In a classroom setting, collecting or retaining identity-linked data and credentials is particularly sensitive because it can enable student profiling, unauthorized account linkage, or credential exposure if the local SQLite database is accessed.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility performs remote account provisioning, token acquisition, token persistence, and general API request handling that substantially exceeds the declared classroom engagement purpose. In a skill that claims limited real-time classroom analysis, hidden identity, account, and external API behaviors increase the risk of unauthorized data transmission, backend account creation, and capability creep outside user expectations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code reads a persistent identifier from data/smyx-api-key.txt, falls back to a local database, and if absent creates a new default open-id and stores it for reuse. That directly conflicts with the manifest's claim that no identity is stored, making this especially dangerous in a classroom/student-analysis context where users would reasonably expect anonymity or at least no persistent personal tracking.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The HTTP client returns billing and recharge instructions when a 402 response is received, introducing payment workflow behavior unrelated to classroom engagement analysis. This hidden monetization path can mislead operators, create unexpected prompts, and indicates the skill contains broader commercial functionality than declared.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation exposes an export endpoint for a complete report and a heatmap image URL in a system that analyzes minors in classrooms, but it does not define access controls, retention limits, sharing restrictions, or user-facing privacy warnings for those outputs. Even if names are omitted, seat-level heatmaps and historical reports can enable re-identification or inappropriate monitoring when combined with classroom context, making this especially sensitive in a school setting.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The code reads local file contents and uploads them for analysis without any visible user-facing disclosure, confirmation, or consent mechanism in this component. Given the skill processes classroom videos containing students' faces and inferred emotional states, silent upload raises significant privacy and compliance concerns even if the transport itself is expected behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script defines a hidden `--api-key` argument using `argparse.SUPPRESS`, while the tool performs network-backed analysis and does not clearly disclose credential usage or remote transmission to users. Hidden credential parameters reduce transparency, can encourage insecure secret handling on the command line, and may cause users to unknowingly send sensitive classroom video data and authentication material to a backend service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code derives a workspace path from environment variables and filesystem layout, then uses it to locate or create agent data/skills directories automatically. While not an immediate exploit by itself, silent use of sensitive environment-derived paths can cause data to be written into unexpected locations, especially in multi-agent or shared environments, without user awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The utility automatically creates local data and skills directories via os.makedirs(..., exist_ok=True) without any user-facing disclosure or consent. In a privacy-sensitive classroom setting, silent persistence increases the chance of unnoticed local retention of identifiers, tokens, or analysis artifacts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The request wrapper automatically attaches application identifiers, tokens, and a resolved username/open-id, and may add tenant and platform metadata before sending network requests. In this skill context, that is more dangerous because the manifest suggests non-identifying classroom analysis, yet the implementation can transmit persistent identity and authentication material to external services without clear disclosure.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
96% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2