ClawHub
Back to skill

Security audit

Pet Body Condition & Health Analysis Skill | 宠物体态健康分析技能

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do more than pet health analysis, including broad backend access, history lookup, token handling, and media upload with unclear disclosure.

Install only if you are comfortable with pet or household media and user identifiers being sent to external services, and if you trust the publisher to handle account tokens and retained analysis history. Avoid using it with videos containing people, private interiors, or sensitive context until the publisher narrows the API surface and clearly documents data handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
78% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
78% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill exposes generic CRUD-style record management methods such as page, list, add, edit, and delete that are not necessary for a narrowly scoped pet body health analysis capability. This expands the attack surface and could allow the skill to manipulate or enumerate backend records if invoked by an agent or user in ways unrelated to the stated health-analysis purpose.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The delete method permits removal of records by cameraSn, but deletion is not justified by the declared skill purpose of analyzing pet body condition from inputs. If this method is reachable through the skill, an attacker or over-privileged workflow could delete device-linked records or operational data, causing integrity loss or service disruption.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill exposes retrieval of a user-specific analysis history via `show_analyze_list(open_id)` even though the stated purpose is single pet body-health analysis from supplied media. If an attacker can invoke the skill with another person's identifier, this broadens access to prior health-related records and creates an unnecessary privacy/data-exposure surface.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented endpoint and response schema are materially unrelated to the declared pet body health analysis purpose. This mismatch strongly suggests the skill may send user pet media to a generic human-analysis service or misrepresent what the backend actually does, creating a serious trust and data-handling risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The response documents human face detection and traditional-medicine-style organ/complexion diagnosis, which are not justified by a pet body health skill. In this context, these capabilities indicate undisclosed human-analysis behavior or deceptive functionality, increasing the risk of collecting and processing sensitive human imagery under false pretenses.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This file exposes generic CRUD-style operations such as page, list, add, edit, and delete that go beyond a narrowly scoped pet body health analysis function. In a skill advertised as image-based pet health assessment, these broader record-management capabilities increase attack surface and may enable unauthorized data manipulation or access if the surrounding system invokes them without strict authorization controls.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The delete method allows deletion by cameraSn, which is unrelated to the stated purpose of pet body health analysis and suggests control over external records or devices. If exposed to untrusted callers or weakly authorized contexts, this could permit unauthorized deletion of camera-associated data or operational configuration, creating a stronger integrity risk than the analytical functions imply.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The implementation exposes generic video analysis and per-user history retrieval behavior that does not match the declared pet body health analysis purpose. Capability mismatch is dangerous because it can hide broader data processing or surveillance functionality behind a benign health-oriented manifest, preventing informed consent and defeating least-privilege expectations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The CLI describes a general-purpose video analysis tool, which conflicts with the skill's pet health description and increases the risk that users invoke broader analysis than intended. This kind of deceptive or inaccurate interface can lead to unauthorized processing of non-pet videos and undermines transparency around what data is collected and analyzed.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The history-listing capability allows retrieval of analysis records keyed by an open_id, but this feature is not justified by the stated pet body health function. Even if intended for convenience, unnecessary history access expands privacy risk and can expose prior analyses or metadata if identifiers are guessable, reused, or insufficiently authorized server-side.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file implements a generic API wrapper that exposes broad CRUD operations and arbitrary HTTP verbs without any apparent restriction to the stated pet body health analysis purpose. In a skill context, this creates unnecessary remote action capability that can be repurposed for data exfiltration, unauthorized backend interaction, or acting as a proxy to other services, which materially expands the attack surface.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The http_post/http_put/http_get/http_delete methods accept arbitrary URLs and forward arguments directly to the request utility, effectively granting unrestricted outbound HTTP capability. For a pet health analysis skill, such functionality is unjustified and dangerous because it could be abused to contact attacker-controlled infrastructure, exfiltrate sensitive data, scan internal services, or bypass intended platform boundaries.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The add, edit, and delete methods expose remote state-changing operations that are not justified by a diagnostic pet body health analysis skill. Even if intended as shared utility code, embedding generic create/update/delete capabilities in this skill increases the chance that the skill can modify external resources or backend data beyond its expected read/analysis role.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This file provides generic persistent storage plus user/account handling, including tokens, which is not justified by a pet body/health analysis skill's stated purpose. Capability mismatch increases risk because it expands the skill's access to local data and identity artifacts beyond what users would reasonably expect, creating unnecessary collection and retention surfaces.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The User model stores account identifiers plus token and open_token fields, which are sensitive authentication artifacts and unrelated to pet image health analysis. In this context, collecting and persisting such data is especially dangerous because it creates a covert credential-retention mechanism inside a low-trust skill where users would not expect account storage.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility layer performs authenticated backend access, injects tokens into requests, and includes account bootstrap logic that is unrelated to pet body-health analysis. In the context of a skill that should only analyze pet condition, hidden identity, token, and backend capabilities materially expand the attack surface and could enable unauthorized data access or misuse of platform accounts.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The _get_or_create_user flow can create or retrieve user accounts by sending a username/mobile/openId to a phone-login endpoint with automatic registration enabled. That is unjustified for the declared pet-health purpose and could silently provision accounts, associate user identifiers with backend services, and trigger unauthorized access patterns.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The file utility methods allow opening arbitrary paths in write mode and creating directories without any apparent path restrictions or relation to the pet-analysis function. In an agent environment, such generic write helpers can be reused to overwrite local files, persist data, or stage further abuse if called with untrusted paths.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The default trigger is broad enough that many generic pet image or video requests could invoke this skill automatically. In context, activation causes local file saving and remote API submission of user media, so unintended triggering can lead to unexpected data transfer and privacy-impacting actions without clear user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The history-report trigger keywords are ambiguous and automatically force a cloud query for historical records. Because history access is account-linked through open-id and returns report links, accidental invocation could expose sensitive prior reports or cause unnecessary backend access beyond the user's immediate intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The analysis flow sends a user-provided media reference and associated user identifier to backend analysis services without any explicit disclosure, consent prompt, or privacy notice in the CLI flow. Because pet-health media and linked identifiers can constitute sensitive personal data, silent transmission increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API accepts uploaded videos or public video URLs but provides no warning that user media will be transmitted to an external server for analysis. For a health-related pet skill, users may reasonably submit household videos that contain people, interiors, location clues, or other sensitive data, so the lack of disclosure creates a meaningful privacy risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill reads arbitrary local file content into memory and sends it to an external analysis service without any visible consent, disclosure, or trust-boundary indication in this code path. In a skill that analyzes pet health media, silent transmission of local user files can expose sensitive personal data if users misunderstand where files are sent or what service receives them.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.install_untrusted_source

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skills/smyx_common/scripts/config.yaml:15

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2