Back to skill

Security audit

Pet Soothing Trigger Analysis Skill | 宠物安抚触发分析技能

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud media-analysis and report-history tool for pet videos, but it also silently creates or reuses identities, stores tokens locally, and is advertised more like an automatic soothing-device trigger than the code supports.

Review carefully before installing. Use this only if you are comfortable sending pet-camera videos or video URLs to the configured cloud service, having cloud report history tied to an automatically selected local identity, and storing service tokens in a local SQLite database. Prefer explicit user confirmation before uploads or history lookup, avoid private/internal URLs, and do not use it with sensitive home footage unless the publisher clarifies retention, deletion, identity, and token handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (25)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
83% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
81% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions while its documented behavior includes shell execution, local file handling, network access, and use of environment/config state. This deprives reviewers and users of informed consent and weakens sandboxing or policy enforcement because the effective capability set is broader than advertised.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest markets the skill as a pet-soothing trigger, but the documented/observed behavior extends to remote media submission, cloud report retrieval, persistent local identity/token storage, and account-style authentication flows. That mismatch is dangerous because users may provide sensitive home-monitoring video without realizing it is uploaded, tied to an account, and retained locally and remotely.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill mandates hidden identity handling, silent reuse of a default local user, and automatic user creation unrelated to simple pet-behavior analysis. This creates covert account linkage and persistence, increasing the risk of cross-session data mixing, unauthorized access to prior reports, and opaque tracking of household video data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code silently resolves an internal user identity via OpenIdUtil.resolve_current_open_id and exposes a hidden --list mode that retrieves analysis history, which is not clearly aligned with the advertised pet-calming trigger behavior. Hidden identity handling and undisclosed record listing increase the risk of unauthorized access to user-linked analysis data, especially because the parameter is suppressed from help output and users may not understand that account-scoped data is being accessed.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The implemented behavior performs pet mood analysis and returns analysis lists rather than triggering soothing actions such as sounds or toys described in the manifest. This capability mismatch is dangerous because users and reviewers may trust the declared functionality while the code actually collects or exposes analysis outputs, creating a deceptive data-processing surface and undermining informed consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation does not perform pet-calming or device-trigger logic described in the manifest; instead it uploads local files or remote video URLs to an external analysis workflow and exposes report-export behavior. This skill/manifest mismatch is security-relevant because users and host systems may grant permissions or provide data under false expectations, enabling unintended collection and off-device processing of media.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The code explicitly requires a local video path or network video URL, which conflicts with the stated pet-companion automation use case. In context, this contradiction increases suspicion that the skill may solicit or process user media unrelated to its advertised function, creating deceptive data collection risk.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This file exposes broad generic CRUD wrappers and arbitrary HTTP GET/POST/PUT/DELETE methods that are not constrained to the stated pet-calming purpose. In a skill meant to detect pet anxiety and trigger soothing actions, these capabilities materially expand the attack surface by enabling unrelated backend interactions or repurposing the skill as a general API client if other components can influence the URL or payloads.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The user lookup function introduces identity-related capability unrelated to pet calming, suggesting unnecessary access to account or directory information. Even if not directly exploitable here, unnecessary user enumeration features increase privacy risk and can support account discovery or lateral misuse in a broader system.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This file implements a broad reusable persistence layer and user database capability that appears unrelated to the stated pet-calming behavior. In context, unnecessary local storage increases attack surface and creates privacy risk because the skill can retain user records and related metadata beyond what the feature description justifies.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The User model stores identity data and token-like secrets ('token', 'open_token', email, realname) in a local SQLite database even though the skill's described purpose does not require account or credential storage. In this context that is especially dangerous because local plaintext credential persistence can lead to account compromise, privacy violations, and cross-skill abuse if the device or workspace is accessed.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This code resolves, creates, and persists default open-id identities using workspace files, environment state, and a local database, which is unrelated to the declared pet-calming function. That broad identity management creates hidden account linkage and persistent tracking behavior, and can cause actions to be performed under an implicitly selected user without clear consent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The HTTP helper does more than send requests: it auto-registers or logs in users against an external service, stores returned tokens, retries authorization, and injects identity metadata into outbound requests. For a pet-calming skill, this hidden authentication/provisioning pathway materially exceeds expected scope and can transmit user identifiers and create remote accounts without informed approval.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The default trigger activates for generic pet-video emotion analysis requests, making unintended invocation likely. In this skill, unintended activation matters because it can cause automatic file saving, remote uploads, and downstream account-linked processing of home surveillance media without clear user intent.

Vague Triggers

Medium
Confidence
83% confidence
Finding
History-report activation is tied to broad everyday phrases such as viewing history or report lists, which can accidentally trigger cloud retrieval of prior records. Because those records may contain sensitive household monitoring metadata, accidental activation can expose private data across sessions or users.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that uploaded attachments and media are automatically saved as local files without presenting that as a clear warning to users. Automatic persistence of user-supplied home video creates privacy and retention risks, especially if files are stored in predictable locations or retained longer than necessary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation lacks a clear privacy warning that user-supplied URLs and media may be fetched/downloaded and processed by a remote API. For a pet-camera skill, this is especially sensitive because it likely involves continuous or in-home surveillance footage, and silent cloud transfer materially increases exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code reads arbitrary local files into memory or accepts arbitrary external URLs, then sends them to an external analysis API without any visible user-facing warning, consent check, or restriction on destination behavior. That can expose sensitive local media, internal URLs, or private network resources to third-party services, especially dangerous given the skill's misleading pet-care description.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
In debug mode, the code enables verbose HTTP logging and prints request URL, params, and data; upstream urllib3/http.client debugging can also expose headers and payload details. If debug is enabled in production or logs are collected centrally, sensitive pet, user, or token-related data may be disclosed without the user's knowledge.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The utility reads identity information from OPENCLAW_WORKSPACE and from data/smyx-api-key.txt without an obvious disclosure or consent boundary. While not inherently exploitable alone, it creates implicit trust in ambient local state and can unexpectedly bind the skill to credentials or identifiers present in the workspace.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
92% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
|---|---|
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 支持格式:mp4/avi/mov,最大 10MB |
| 🧑‍⚖️ 结果性质 | 本分析结果仅供智能触发参考,实际安抚效果因宠物个体差异有所不同 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能用技能本身的脚本 |
| 🌐 网络地址 | 传入的网路地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载 |
| 📜 报告输出 | 当显示历史分析报告清单的时候,从接口返回 json 数据中提取字段  作为超链接地址,且自动转化为如下 Markdown |
Confidence
78% confidence
Finding

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: "pet-calming-trigger-analysis"
description: "Automatically triggers soothing mechanisms (playing relaxing sounds, activating laser toys) when pet anxiety, howling, or prolonged loneliness is detected; a smart companion for pet care. | 宠物安抚触发技能,检测到宠物焦虑、嚎叫、长时间孤独时,自动触发安抚机制(播放舒缓音效、开启激光逗宠),智能宠物陪伴好帮手"
version: "1.0.6"
license: "MIT-0"
---
Confidence
76% confidence
Finding
description:; ‍

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2