Back to skill

Security audit

Fish Surface Symptom (White-spot / Hyperemia / Fin-rot) Detection | 鱼类体表白点/充血/烂尾识别

Security checks across malware telemetry and agentic risk

Overview

This fish-analysis skill is in Review because it sends media to a cloud service and automatically creates or reuses a remote identity while storing account tokens locally with limited user-visible control.

Install only if you are comfortable with fish images/videos and report history being sent to the Life Emergence cloud service, and with the skill automatically creating or reusing an account identity. Treat uploaded aquarium footage as retained cloud data unless the provider documents deletion. Review or clear the workspace data directory and local SQLite database if you do not want persistent identity tokens stored on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (27)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
82% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
82% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill manifest declares a simple fish-image analysis purpose, but the documented workflow instructs use of local scripts, local file save behavior, network/API access, shell execution, and local persistence without any explicit permission declaration or user-facing consent model. This is dangerous because an agent or user may treat the skill as low-risk image analysis while it actually has broader capabilities that can access workspace data, write files, and call remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill claims to perform fish symptom detection, but the behavior described and detected extends to historical remote record listing, default user/open-id creation, local SQLite persistence, login/token handling, and workspace file/database access. This mismatch is dangerous because it hides identity, persistence, and data-access behaviors behind an innocuous medical-imaging use case, increasing the chance of unauthorized collection or cross-session data access.

Intent-Code Divergence

Low
Confidence
74% confidence
Finding
The code accepts a caller-supplied `open_id` and passes it into identity resolution despite the comment implying no user input is required. If `OpenIdUtil.resolve_current_open_id` trusts this value, an attacker could impersonate another user context and access or influence user-scoped history and analysis records.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill accepts arbitrary local files or remote URLs for upload/analysis even though the declared purpose is narrowly framed as fish body-surface symptom detection from camera imagery. This capability mismatch can cause unintended exfiltration of unrelated user data and broadens the attack surface, especially because any http/https URL is forwarded without domain restrictions or visible consent flow in this file.

Description-Behavior Mismatch

Low
Confidence
81% confidence
Finding
The skill exposes report-history and export-link generation functionality that is not described in the manifest's disease-detection purpose. Undocumented data-retrieval features can leak prior analysis metadata or report artifacts beyond user expectations, particularly if access control is handled weakly elsewhere.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
The history-listing capability exposes prior analysis results based on an open_id and is unrelated to the stated narrow purpose of symptom detection. Hidden/internal parameters and extra data-access features increase the attack surface and may enable unintended access to historical analysis data if identity binding or authorization is weak elsewhere in the stack.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file implements a generic network-capable API wrapper with broad CRUD operations and arbitrary HTTP GET/POST/PUT/DELETE methods that are not constrained to fish-symptom analysis. In a narrowly scoped vision-analysis skill, this creates unnecessary capability expansion: other components can reuse it to access unrelated endpoints, move data off-platform, or perform unauthorized state-changing actions if user-controlled URLs or parameters flow into these methods.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The get_user_by_username method introduces identity/user-enumeration capability that is unrelated to aquarium image disease detection. If reachable from the skill flow, it could enable unnecessary collection or probing of user account information, broadening the privacy and security exposure well beyond the declared skill purpose.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file defines a generic user/account persistence layer with user lookup and default-user selection, which is outside the stated purpose of fish surface symptom detection. Scope expansion like this increases attack surface and creates opportunities for undisclosed identity handling unrelated to the skill's advertised function.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The code initializes and mutates a local SQLite database even though the skill description presents the feature as image-based symptom detection/analysis. Hidden stateful storage is risky because users and reviewers may not expect persistence, and it broadens the consequences of compromise or misuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores identity and authentication-related fields such as username, realname, email, token, and open_token, which are unjustified for a fish disease detection skill. Collecting and retaining these fields without clear functional need creates privacy and credential-handling risk, especially because tokens are stored directly in a local SQLite database.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility file contains account provisioning, token persistence, open-id resolution, and remote login behavior that is unrelated to fish-symptom image analysis. That creates hidden identity, authentication, and network side effects in a domain-specific skill, increasing the chance of undisclosed data transmission and unauthorized account creation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The request path can silently create or register platform users as a side effect of ordinary HTTP use by calling a phoneLogin endpoint with register=1 and a derived username/openId. This means simply invoking the utility may mutate remote state and create identities without the user's awareness or approval.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest defines broad trigger phrases that automatically invoke cloud history-report queries whenever users mention history-like terms, without clear scoping, confirmation, or resource boundaries. This is dangerous because benign conversational text can trigger retrieval of potentially sensitive historical records associated with an internal identity, leading to unintended data exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow states that uploaded attachments and image/video files are automatically saved as local files, but this storage behavior is not clearly surfaced as a prominent warning in the skill description or consent flow. This is dangerous because users may provide sensitive media assuming transient processing, while the skill silently creates local copies that expand retention and disclosure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code reads the full contents of a local file and transmits them to the analysis backend without any visible user-facing warning, consent prompt, or data-handling disclosure in this file. For a skill that may be invoked on arbitrary paths, this creates a meaningful privacy and data-exfiltration risk if users misunderstand what is being uploaded.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script sends local file paths or remote URLs to a backend analysis service via skill.get_output_analysis without any explicit user-facing disclosure that media may leave the local environment. In a camera-based fish-monitoring context, uploaded aquarium or home footage can contain sensitive surroundings, making silent transmission a privacy risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The helper automatically creates workspace data and skills directories, causing persistent local side effects without user-facing disclosure. In an agent environment, silent filesystem writes can be used to stash identifiers, tokens, or future payloads outside the user's expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code reads an identity value from a local api-key file and reuses it as an internal open-id without clear disclosure. This can silently bind actions to a local identity and may expose or misuse credentials/identifiers stored in the workspace.

Missing User Warnings

High
Confidence
98% confidence
Finding
This code automatically sends a network login/registration request using a derived identity, including openId and mobile fields, without explicit disclosure. Hidden authentication traffic is especially risky because it can create accounts, transmit identifiers off-device, and tie user activity to unintended remote identities.

Missing User Warnings

High
Confidence
97% confidence
Finding
The HTTP utility injects and transmits environment-derived identity and tenant data such as tokens, open-id/username, tenantCode, skillHubName, and skillPlatform. Because this occurs in shared request plumbing, downstream callers may unknowingly leak identity metadata to external endpoints, which is not justified by the fish-analysis use case.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
96% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
| 🔎 使用提醒 | **4 级告警策略递进**(mild → moderate → severe → urgent/Level 4),多日反复 / 同缸多发进入 Level 4 |
| 🔎 使用提醒 | 单日告警上限:Level 1 × 6 / Level 2 × 3 / Level 3 × 2 / Level 4 不设上限(紧急安全优先) |
| 🔎 使用提醒 | 红线约束 |
| 🧑‍⚖️ 结果性质 | **禁止**对鱼做"小瓜虫病 / 细菌性败血症 / 水霉病 / 柱状菌病 / 立鳞病 / 寄生虫感染"等具体疾病诊断 |
| 🔎 使用提醒 | **🚨 绝对禁止**输出具体药物名称、剂量、给药方案(包括但不限于:孔雀石绿、甲基蓝、黄粉、庆大霉素、土霉素、福尔马林等) |
| 🔎 使用提醒 | **禁止**长期存储完整鱼缸图像/视频(≤ 7 天,仅入库症状事件帧;公共水族馆按管理规定) |
| 🔎 使用提醒 | **禁止**用于商业广告 / AI 训练;禁第三方共享 |
Confidence
72% confidence
Finding

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2