Back to skill

Security audit

Visual Emotion Recognition Skill | 人体视觉情绪识别技能

Security checks across malware telemetry and agentic risk

Overview

The skill’s main emotion-analysis workflow is real, but it handles sensitive face/emotion data with under-disclosed account creation, token storage, and report-history access.

Review carefully before installing. This skill may upload face images/videos or URLs to a cloud service, associate emotion reports with an open-id, username, or phone number, retrieve prior reports, and store account tokens locally. Use it only with media and identifiers you are comfortable sharing, and look for clear retention, deletion, and account-control terms from the publisher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (34)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
84% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
83% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read config files, save uploaded files locally, invoke a shell command, and send data to a cloud API, yet it declares no permissions. This creates a transparency and consent gap: operators and users cannot accurately assess that the skill will access files, write media, use network connectivity, and execute scripts before it runs.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill requires an open-id and explicitly allows using a username or phone number to save and query reports, which introduces collection of personal identifiers beyond the manifest's core emotion-recognition purpose. Because the reports concern emotional and possible mental-health-related inferences, linking them to direct identifiers increases privacy sensitivity and risk of profiling or misuse.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented behavior includes automatically saving uploaded media locally and querying cloud-hosted historical reports, but these data flows are not reflected in the manifest's stated purpose. That mismatch can lead to users providing sensitive face images or videos without understanding that files may be persisted locally and that report history is remotely retrieved and associated across sessions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file documents pet health analysis APIs and report export endpoints, which materially conflicts with the declared purpose of a human emotion recognition skill. This kind of capability mismatch is dangerous because it can misroute user data, trigger unintended backend actions, or conceal that the packaged skill is wired to a different service than advertised, increasing the risk of privacy violations and unauthorized data processing.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented endpoints perform health-analysis task creation, result retrieval, history paging, and full report export for pet health, not human emotion recognition. In the context of a skill advertised for mental health monitoring and emotion analysis, this mismatch is especially risky because users or integrators may send sensitive human data to an unrelated health/reporting workflow, leading to data leakage, compliance issues, or unauthorized exports.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This service exposes generic record-management methods (page, list, add, edit, delete) that go beyond the manifest's stated purpose of emotion recognition and analysis. Capability expansion increases attack surface and may allow callers to enumerate, modify, or remove backend records unrelated to the advertised functionality, especially if downstream authorization is weak or assumed elsewhere.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The delete method removes records by cameraSn, a camera-oriented identifier not disclosed by the emotion-recognition description. Hidden destructive capability is risky because integrators or users may invoke the skill expecting analysis-only behavior while it can delete camera-related resources, potentially causing data loss or service disruption.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes a history/listing function for prior emotion-analysis results via `show_analyze_list(open_id)`, which is outside the narrowly described real-time media analysis purpose. Because emotion-analysis outputs and associated history are highly sensitive, adding record enumeration increases privacy risk and can enable access or discovery of prior analyses if identifiers are weakly controlled downstream.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI accepts broad identifiers such as OpenID, user ID, username, and phone number for accessing analysis records. Allowing human-guessable identifiers for a sensitive history feature materially raises the risk of enumeration, account mix-ups, and unauthorized retrieval of emotion-analysis data tied to real people.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill accepts arbitrary remote URLs and passes them to the backend analysis service without allowlisting, scheme/domain restrictions beyond http/https, or user warnings. If the backend fetches the URL server-side, this can enable misuse such as probing internal resources, accessing sensitive endpoints, or processing unintended third-party content, which is especially unjustified for a facial-emotion skill.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implementation delegates to a generic video-analysis/history system rather than a narrowly scoped frontal-face emotion recognition flow described in the manifest. This scope mismatch is dangerous because users and policy controls may grant access based on the declared purpose, while the code can process broader inputs and produce different analysis behavior than expected.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The --list pathway exposes analysis-history retrieval that is not disclosed in the skill description, expanding functionality beyond the stated real-time emotion-recognition purpose. Undeclared data-access features are risky because they can reveal prior analysis artifacts or metadata to users or integrators who did not expect the skill to retain or expose historical records.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
History retrieval is keyed off an OpenID-derived identity, but the code shown does not demonstrate any explicit authorization boundary beyond resolving the current OpenID. In a mental-health/emotion-analysis context, access to prior analysis records can expose highly sensitive biometric or psychological inferences, making unjustified identity-based retrieval especially privacy-sensitive.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file exposes broad generic network and CRUD wrappers that are not constrained to the emotion-recognition purpose described in the skill metadata. Because callers can supply arbitrary URLs and request data, the skill can be repurposed to access, modify, or relay remote resources far beyond face/emotion analysis, which materially expands its attack surface and capability set.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The add, edit, and delete methods perform arbitrary remote state-changing POST operations using caller-provided URLs and arguments, with no visible scope restriction or safety controls. In the context of an emotion-recognition skill, remote modification capabilities are unnecessary and could be abused to alter or destroy external resources if reachable by the runtime.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The generic http_post/http_put/http_get/http_delete wrappers provide unrestricted pass-through network capability to arbitrary URLs. Even without direct evidence of hostile use here, this creates an unnecessary exfiltration and lateral-access primitive that exceeds the declared purpose of emotion analysis and makes downstream misuse easier.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements generic user/account persistence behavior that is not aligned with the declared emotion-recognition purpose. Such hidden or unnecessary account-handling logic expands the attack surface, increases privacy risk, and may enable unauthorized retention of user identity data without a clear functional need.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The model stores personal profile information and authentication-like secrets including token and open_token, despite the skill being described as an emotion-analysis capability. This creates substantial privacy and credential-handling risk; if the local database is accessed or exfiltrated, attackers may obtain sensitive identity data and reusable tokens unrelated to the advertised function.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code automatically creates and mutates a local SQLite database, including schema alteration, even though the skill is presented as an analysis capability. In this context, undeclared persistent state increases stealth, privacy, and data-retention risks, especially for a mental-health-related skill processing sensitive human information.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility file performs identity resolution, local credential-like state handling, account provisioning, token persistence, and authenticated API brokering, which materially exceeds the declared emotion-recognition purpose. That mismatch increases the likelihood of undisclosed data flows and hidden account actions, especially in a skill expected to process visual emotion inference rather than manage user identities and remote service access.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code automatically logs in or registers backend users through /sys/phoneLogin using locally resolved identifiers, including synthesized default identities, without an explicit user action in this file. Auto-creating remote accounts for an emotion-recognition skill is unnecessary to core functionality and can create unauthorized identities, silent data enrollment, and opaque linkage between local users and backend accounts.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads identity values from a workspace file, falls back to local database state, and writes persistent default identities for later reuse. For a skill advertised as emotion recognition, maintaining local identity state and credential-adjacent material without clear disclosure creates avoidable privacy and accountability risks.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The auto-trigger phrases for history lookup are broad enough to match ordinary user wording, which can cause unintended retrieval of prior emotion-recognition reports. In this context, historical reports may contain highly sensitive emotional or mental-health-related inferences, so accidental triggering can disclose private data the user did not mean to request.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2