Back to skill

Security audit

Adult Facial HRV Trend Monitoring (rPPG) | 成人心率变异性(HRV)趋势监测(面部)

Security checks across malware telemetry and agentic risk

Overview

This HRV skill appears to perform its advertised cloud-based analysis, but it also silently links or creates user identity records and stores service tokens while handling sensitive facial health data.

Review before installing. Use this only if you are comfortable sending facial video or HRV-related data to the Life Emergence cloud service, having reports tied to an internal identity, and having local identity/token records stored in the workspace data directory. Avoid sensitive media unless you understand the service’s retention and deletion practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
83% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
82% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises no explicit permissions, yet the documentation clearly instructs use of local file handling, shell execution, environment use, and network access. This creates a permission-transparency gap that can mislead reviewers and users about the real capability surface, especially for a health-related skill that handles biometric media and remote API calls.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill’s documented behavior extends beyond local HRV video analysis into cloud history retrieval and automatic identity handling, introducing hidden data flows not central to the stated purpose. Because the data involved is health-related and tied to facial video/biometric context, silent identity association and remote querying materially increase privacy and data-exposure risk.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The manifest and top-level description frame the skill as camera-based HRV computation, but the documented workflow includes cloud-hosted report listing and link generation as a core path. This mismatch weakens informed consent and can cause users to invoke networked report retrieval without understanding the broader functionality.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill includes a hidden identity-resolution flow and a history/listing capability via `OpenIdUtil.resolve_current_open_id` and `show_analyze_list(open_id)` that are not necessary for one-off local/video HRV analysis. This creates a privacy and authorization risk because a user invoking the tool may unintentionally access or enumerate analysis history tied to an internal user identity, especially since the `--open-id` argument is suppressed from help but still accepted.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This file implements a generic API client with arbitrary URL-based POST/PUT/GET/DELETE and CRUD helpers that are far broader than the declared HRV/rPPG monitoring purpose. In a skill that is expected to analyze facial video and compute HRV metrics, this creates unnecessary capability for outbound network access and remote state changes, increasing the attack surface for data exfiltration, unauthorized backend interaction, or repurposing the skill as a general network proxy.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The add/edit/delete/http_put/http_delete methods expose remote modification capabilities without any visible restriction to approved endpoints or HRV-specific operations. If higher-level code passes attacker-controlled or unintended URLs/parameters into these helpers, the skill can modify remote resources or trigger destructive actions unrelated to its stated health-monitoring purpose.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file defines a shared User/UserDao persistence layer with account-like records, including usernames, real names, email, birthday, and tokens, which is unrelated to the stated facial HRV trend-monitoring purpose. In a health-oriented skill, retaining unrelated identity and account data broadens privacy risk, creates unnecessary sensitive-data concentration, and increases the impact of local compromise or accidental cross-skill access.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model includes token and open_token storage alongside identifying fields, but the skill description is limited to camera-based HRV analytics. Persisting authentication or access tokens without a clear functional need creates a serious secret-handling problem and materially raises the consequences of local DB access, especially in a biometric/health context where data sensitivity is already elevated.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The generic DAO offers broad create/read/update/delete and counting capabilities over local data, including deletion and mutable updates, which exceeds the narrow analytics purpose described for facial HRV monitoring. In isolation generic CRUD is common, but in this skill context it indicates an unnecessarily broad local data-management surface that could be reused to manipulate unrelated records or persist excess sensitive information.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The file defines an `AgentSkill.ai_chat` capability that accepts arbitrary prompts and is unrelated to the advertised facial-video HRV analysis function. Even though the subprocess invocation is currently commented out, this creates an undocumented AI-agent execution surface in shared skill code, increasing the chance that downstream skills expose unintended capabilities or later re-enable external agent access without proper review.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility file contains authenticated API orchestration, token handling, account lookup/provisioning, and automatic identity propagation that are unrelated to facial-video HRV analysis. In the context of a health-monitoring skill, hidden account and remote-service workflows materially expand the trust boundary and can cause undisclosed transmission of identities and tokens to external systems.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code reads a workspace credential file, reuses stored local identities, and creates persistent default user identities when none exist. For a facial HRV analysis skill, this is unjustified identity persistence that can silently bind a user to backend accounts and create tracking or unauthorized account usage risks.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code silently calls a remote phoneLogin endpoint with register=1 and user-derived identifiers, enabling auto-registration or login without an explicit user-driven authentication step. In a medical-analysis context, this is especially dangerous because users would not reasonably expect biometric-adjacent tooling to create or access external service accounts behind the scenes.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The workspace detection and skills/data directory manipulation logic is broader than what is needed for simple HRV trend analysis. Although not inherently malicious, it gives the skill environmental awareness and filesystem reach that can support persistence, cross-skill interaction, or data access outside the stated medical purpose.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The history-report trigger phrases are broad and include generic report-query wording, which can cause unintended invocation of cloud-backed history retrieval. In a health-monitoring context, accidental activation can expose or process sensitive user-linked records without sufficiently specific intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that uploaded attachments and media are automatically saved locally, but does not present this as a clear upfront warning to the user. Because the inputs are facial videos containing biometric and health-related data, silent local persistence increases privacy, retention, and unauthorized-access risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill mandates direct cloud API calls for history-report queries without a clear warning that user-linked health data may be transmitted or retrieved remotely. In the context of biometric/health monitoring, this is especially dangerous because users may not realize they are triggering remote processing of sensitive records.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When debug mode is enabled, the code turns on low-level HTTP and exception logging, which can expose request contents, response bodies, identifiers, and authentication material in logs. Because this skill also performs account and token workflows, the logging becomes more dangerous than in a purely local utility.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill reads a workspace credential/identity file to obtain an internal identity value without any visible disclosure or consent. In the context of a facial-health skill, silently harvesting local identity material is inconsistent with user expectations and can enable undisclosed account linkage and outbound authentication.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The HTTP helper automatically attaches user identity fields and authentication tokens to outbound requests, even for generic calls, without an explicit per-request disclosure boundary. This creates a substantial risk of silent data sharing, token misuse, or overbroad authentication propagation to services unrelated to the user's expected HRV analysis workflow.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
97% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2