Back to skill

Security audit

Environmental Anomaly Trigger | 畜禽舍环境异常联动

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its barn video analysis purpose, but it also silently creates or reuses an identity, logs into a remote service, and stores tokens/profile data locally with limited user control.

Install only if you are comfortable with this skill sending barn media or URLs to the LifeEmergence service, automatically creating or reusing an internal identity, retrieving cloud history, and storing authentication/profile data in a local workspace SQLite database. Prefer a version that documents retention/deletion, avoids plaintext token storage, and asks before identity-linked history or account operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (20)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
81% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
81% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while its documented behavior and associated tooling imply shell execution, local file persistence, environment access, and outbound network/API use. This creates a transparency and trust gap that can lead to over-privileged execution without informed consent or appropriate sandboxing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill claims to perform livestock environmental anomaly correlation, but the broader behavior includes persistent identity creation, local SQLite user storage, remote login/token acquisition, and historical report retrieval unrelated to the stated core function. Such hidden or under-disclosed behavior expands the attack surface and can cause users to submit data under false assumptions about how it is processed and stored.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill accepts arbitrary http/https video URLs and forwards them to the backend analysis service, which introduces network-fetch capability beyond simple local media analysis. If the downstream service retrieves these URLs server-side, this can enable SSRF-style access to internal resources or unintended processing of attacker-controlled remote content.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The CLI advertises video analysis but also exposes a hidden `--open-id` parameter and a `--list` mode that retrieves analysis history for the current or resolved user context. Hidden functionality tied to identity or history access increases the risk of unauthorized data exposure, especially if `OpenIdUtil.resolve_current_open_id` or downstream APIs do not strictly enforce authentication and authorization.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The http_post/http_put/http_get/http_delete methods accept arbitrary URLs and forward caller-controlled requests, creating a general-purpose network primitive inside the skill. In a skill whose stated purpose is analysis of barn video and sensor data, this capability is unnecessarily broad and could be abused by other components to reach unintended internal or external services, increasing SSRF and data-exfiltration risk.

Context-Inappropriate Capability

High
Confidence
75% confidence
Finding
The model stores authentication and profile-related data such as token, open_token, email, birthday, and identity fields in a local SQLite database without any visible encryption, minimization, or access-control safeguards in this module. In the context of a livestock environmental anomaly analysis skill, retaining auth/profile data appears unnecessary and increases the blast radius if the workspace or database file is accessed by another component or user.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This utility file implements login, account bootstrap, token acquisition, and persistence logic that is unrelated to livestock/environmental anomaly analysis. In skill context, that is dangerous because it silently extends scope from analytics into identity handling and remote service access, creating an unnecessary channel for account creation, credential storage, and backend interaction.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code reads workspace identity material from environment variables and data files to derive an effective user identity. That capability is not justified by the stated purpose of analyzing barn videos and sensor data, so it expands the skill's access to local context and secrets in a way users would not reasonably expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill can create persistent local user records and generate default identities automatically when none are supplied. For an environmental anomaly analysis skill, silent identity creation is out of scope and dangerous because it establishes durable local state and enables downstream authenticated requests without informed user action.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The history-report trigger phrases are broad enough to be activated by normal user language, which can cause unintended cloud API calls and retrieval of historical records. In a skill that auto-associates identities and accesses prior reports, accidental triggering increases privacy and data exposure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that uploaded attachments are automatically saved locally but does not present this as a clear user-facing warning at the point of collection. Silent local persistence of user-supplied media and sensor files increases the risk of unintended retention, disclosure, or later misuse of potentially sensitive operational data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not clearly warn users that URLs, uploaded media, and related analysis data are transmitted to a server-side API for processing. Undisclosed remote transfer of operational video and possible sensor data can expose sensitive farm information and prevents informed consent about third-party processing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code reads local file contents into memory or submits a remote video URL, then sends that data to an external analysis API without any user-facing disclosure or confirmation in this path. This creates a privacy and data-handling risk because potentially sensitive barn footage or operational data may be transferred off-host unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The HTTP request path attaches user identifiers and authentication tokens to outbound requests and may populate identity fields into request bodies automatically. Without clear user-facing disclosure or strict necessity for the skill's stated purpose, this creates a privacy and security risk through unexpected transmission of identity and credential material.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The code persists a generated default user record locally without any evident notice to the user. While lower severity than token transmission, it still creates unexpected durable identity state unrelated to the skill's declared barn-analysis function.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
96% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
|---|---|
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 图片支持 `jpg` / `png` / `jpeg`;视频支持 `mp4` / `avi` / `mov`;单文件最大 `10MB`;可选 csv/json 传感器数据 |
| 🧑‍⚖️ 结果性质 | 分析结果仅供环境-行为异常联动预警参考,本技能不提供设备操作指令或环境调控建议 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能使用技能本身的脚本 |
| 🌐 网络地址 | 传入的网络地址参数无需本地下载,默认为公网地址,API 服务会自动下载 |
| 📜 报告输出 | 显示历史分析报告清单时,从接口返回 JSON 数据中提取字段作为超链接地址,并自动转化为 Markdown 表格输出 |
Confidence
78% confidence
Finding

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: "smyx-environmental-anomaly-analysis"
description: "Combines livestock behavior in continuous barn videos with environmental sensor data (temperature, humidity, ammonia, etc.) to identify group stress responses caused by abnormal in-barn conditions. | 结合畜禽行为与环境传感器,识别温湿度异常时的群体应激反应。"
version: "1.0.0"
license: "MIT-0"
---
Confidence
72% confidence
Finding
description:; ‍

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2