Back to skill

Security audit

Pet Grooming Effectiveness & Hairball Risk Analysis | 宠物梳毛器梳理效果与毛球风险

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the advertised pet grooming media analysis, but it also creates or reuses account identity, stores tokens locally, and queries cloud history with limited user-facing consent.

Review this skill before installing. It sends provided pet images/videos or URLs to a remote service, may automatically create or reuse an internal account identity, can retrieve cloud-stored history, and stores user/token data in a local workspace database. Install only if that account-bound remote processing and local persistence are acceptable for your workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
73% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
73% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs use of local files, local saving, shell execution, and remote API access, yet declares no permissions. This mismatch can mislead reviewers and users about the actual trust boundary and operational capabilities, increasing the chance that sensitive files or network actions occur without informed approval.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill exposes a history-listing feature via `--list` that goes beyond the stated purpose of analyzing a user-provided grooming image or video. Expanding capability into retrieval of prior analyses increases access to potentially sensitive user data and broadens the attack surface, especially because this functionality is not clearly disclosed by the manifest description.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code resolves and uses an internal user identifier before processing, and later uses `ConstantEnum.CURRENT__OPEN_ID` to retrieve analysis history. For a media-analysis skill, hidden identity binding is not necessary to perform file or URL analysis, so tying execution to an internal identifier creates an unjustified privacy boundary crossing and could expose another user's historical data if identity resolution is mis-scoped or manipulated.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This file exposes a broad, generic API wrapper surface (add/edit/delete/http_get/http_post/http_put/http_delete, plus page/list) that is not constrained to the grooming-analysis skill’s declared purpose. In a skill that should only analyze pet grooming media, arbitrary request forwarding and generic CRUD increase the chance of unauthorized backend access, misuse of internal APIs, or future feature abuse if untrusted inputs can reach these methods.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The presence of a generic user-account persistence layer in a pet grooming analysis skill materially expands the skill's capabilities beyond its stated purpose. This kind of hidden or unnecessary identity/token storage increases the attack surface, creates privacy risk, and can facilitate unintended cross-feature data retention if the skill or shared libraries are reused broadly.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This DAO automatically creates and manages a broad local database with generic CRUD operations unrelated to the declared grooming-analysis function. In the skill context, that mismatch is suspicious because it enables durable local state, user-data storage, and schema mutation that a media-analysis feature does not obviously need, increasing the blast radius of compromise and the chance of covert data collection.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The utility generates default user identities, queries a local user database, and persists user records for later reuse, which is unrelated to the declared pet grooming media-analysis purpose. This expands the skill into identity management and local account state persistence without clear user consent, creating a hidden identity surface that can be reused across requests and skills.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The HTTP helper performs a phoneLogin/register flow as a side effect of making ordinary requests, silently creating or resolving accounts before API access. For a grooming-analysis skill, this is a hidden behavioral expansion that can transmit user identifiers to external services and trigger account creation without clear necessity or disclosure.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Reading workspace API-key/open-id files and local user data extends the skill's behavior beyond simple media analysis into credential and identity discovery. In the context of a grooming tool, this is unjustified privilege expansion that can cause unintended reuse of workspace identities across unrelated operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description states that local uploads and network URLs are processed by server-side APIs, but it does not clearly warn users that their media or referenced content may be transmitted to a remote service. This creates a privacy and consent gap, especially if users provide sensitive images, videos, or internal URLs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill says uploaded attachments are automatically saved as local files, but it does not clearly notify users about this file-handling behavior. Silent persistence of user media increases privacy risk and can expand exposure if files are retained longer than expected or stored insecurely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill requires direct cloud API access for history-report queries without clearly informing the user that remote account-associated data will be retrieved. This can surprise users and expose private historical records or metadata through an external service without transparent consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`OpenIdUtil.resolve_current_open_id(args.open_id, use_current=bool(args.open_id))` initializes an internal identity without user-facing warning, and the `--open-id` parameter is suppressed from help output. Hidden identity resolution undermines transparency and informed consent, and in combination with history access can enable silent collection or use of account context that users do not expect from a simple image/video analysis tool.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code accepts either a local file path or a remote URL and forwards the file bytes or URL to a server-side analysis API, but there is no user-visible consent, disclosure, destination transparency, or restriction on what remote URLs may be submitted. Because this skill processes pet grooming images/videos, it may transmit sensitive media or enable the backend to fetch attacker-controlled URLs, creating privacy and possible SSRF-style risk depending on server behavior.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The DAO initializes the database and then automatically creates and alters schema on first use without any explicit operator acknowledgment. In an agent skill, silent persistence and schema modification are risky because they can create durable local data stores and mutate state unexpectedly, which is especially concerning when the skill's advertised purpose is simple grooming media analysis.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code trusts OPENCLAW_WORKSPACE from the environment to determine the workspace root and then uses that location to read and create files and directories. If an attacker or untrusted runtime can influence the environment, the skill may operate on unintended filesystem locations and consume identities or state from a different workspace without any disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The utility reads a local file named smyx-api-key.txt to obtain an internal identity value without any user-facing disclosure. Even if intended for convenience, silently consuming credential-like material from the workspace increases the risk of hidden cross-skill identity use and unintended external attribution.

Missing User Warnings

High
Confidence
97% confidence
Finding
The request helper automatically attaches tokens, API keys, and user identity fields such as pnaUserName to outbound HTTP requests. In a skill whose advertised function is image/video grooming analysis, silent transmission of persistent identity and authentication material materially increases privacy and account-risk exposure if endpoints are misconfigured, overbroad, or compromised.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
96% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2