Back to skill

Security audit

Pet Carrier Respiratory Rate Analysis | 宠物航空箱内呼吸频率监测

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised remote pet-video analysis, but it also silently creates or reuses user identities, logs into a backend, stores tokens locally, and can retrieve cloud history without clear runtime user control.

Review before installing. Use this skill only if you are comfortable sending pet videos or private video URLs to the publisher's remote service, and with the skill silently creating/reusing a backend identity, retrieving cloud report history, and storing auth tokens in a local workspace database. Avoid submitting sensitive household/travel footage or signed/private URLs unless the publisher documents retention, account handling, and deletion controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
82% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
80% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to read local files, save uploads locally, invoke shell commands, access environment-derived identity, and call remote APIs, yet it declares no explicit permissions or user-facing capability boundaries. This creates a transparency and policy gap where powerful actions can occur without clear authorization, increasing the chance of unsafe execution or data handling.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documented endpoints expose pagination of historical analysis reports and full report export functionality that goes beyond the skill’s stated purpose of analyzing a provided video and returning a safety alert. This scope expansion increases the risk of unauthorized access to previously generated reports, bulk data enumeration, or exfiltration of sensitive pet-owner transport records if these capabilities are reachable through the skill or insufficiently access-controlled.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script exposes a listing function for prior pet health analyses via `--list` and `skill.get_output_analysis_list(open_id=...)`, but that capability is not part of the stated skill purpose of analyzing a user-supplied video. Undocumented retrieval of historical analysis data expands the data-access surface and can enable privacy violations or unintended disclosure of prior user records, especially when combined with hidden identity handling.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code silently initializes an internal `open_id` and uses it to fetch user-specific analysis records, even though identity-based record access is not justified by the declared function of simple respiratory-rate analysis. This creates a hidden user-tracking and data-access mechanism that could expose sensitive historical pet health information if identity resolution is incorrect, spoofable, or reused across contexts.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script exposes a `--list` mode that returns prior analysis records via `skill.get_output_analysis_list(open_id=open_id)`, but the manifest describes only one-shot analysis of a user-provided pet video. This undocumented expansion of scope increases the attack surface and can expose historical user data if the caller can influence identity context or invoke the skill in unintended ways.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code resolves an OpenID context and uses `ConstantEnum.CURRENT__OPEN_ID` to fetch per-user analysis history, even though identity-based history access is outside the stated purpose of respiratory-rate analysis. Hidden identity handling combined with a suppressed `--open-id` parameter can enable unintended access patterns or privacy leakage if identity resolution is weak, spoofable, or misunderstood by integrators.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This file exposes a broad generic API client surface including listing, add, edit, delete, and arbitrary HTTP verbs, which exceeds the narrowly described purpose of analyzing pet respiratory-rate videos. In a skill that should mainly submit media for analysis and retrieve results, such extra-capability wrappers increase the chance that other components can invoke unintended remote operations, expanding the attack surface and enabling misuse if user-controlled endpoints or parameters are ever passed through.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The presence of generic add, edit, delete, put, post, and delete wrappers gives the skill arbitrary remote resource modification capability without any visible constraint tying those actions to the stated read/analysis workflow. If other parts of the skill can supply URLs or payloads, this could be abused to alter or delete backend data or interact with unrelated internal services, making the mismatch in capability materially dangerous.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file defines persistent user/account storage and lookup behavior that is unrelated to the manifest's stated function of analyzing pet respiratory rate from videos. Unnecessary identity persistence increases the attack surface and creates privacy/data-retention risk, especially because the model stores usernames, real names, email, birthday, tokens, and open tokens. In the context of a medical/safety-adjacent transport analysis skill, collecting or retaining such account data is harder to justify and more dangerous.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The module creates and manages a local SQLite database with broad CRUD capabilities, which goes beyond the described analysis-and-alert behavior for pet carrier respiratory monitoring. Such hidden statefulness can be abused to persist data across runs, store sensitive artifacts, or support functionality not disclosed to users, increasing both privacy and supply-chain risk. The skill context makes this more suspicious because video-analysis tooling typically needs transient processing, not a generic local persistence layer.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This utility layer creates, resolves, and persists user identities and tokens that are unrelated to the stated purpose of pet respiratory-rate video analysis. It reads identity material from workspace files/environment and can generate default accounts, expanding the skill's data-collection scope beyond what a user would reasonably expect. In a video-analysis skill, this hidden identity management increases privacy and supply-chain risk because any caller of the shared utility inherits this behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The HTTP helper can silently register or log in a user against a health backend via `/sys/phoneLogin`, using derived identifiers without an explicit user action. That materially exceeds the stated function of analyzing pet breathing from a video and creates hidden account creation, identity transmission, and token issuance. Because this logic is embedded in a generic request path, many unrelated API calls may trigger it implicitly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that local files and network URLs are sent to server-side APIs for analysis, but it does not provide a clear user warning about remote processing, storage, retention, or third-party handling. Users may disclose sensitive media or internal URLs without understanding that the content leaves the local environment and may be fetched or stored remotely.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The workflow says uploaded attachments are automatically saved as local files, but there is no clear user-facing disclosure about local persistence, storage location, retention period, or cleanup. This can expose sensitive media to unintended local access, backups, or later reuse beyond the user's expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
`OpenIdUtil.resolve_current_open_id(args.open_id, use_current=bool(args.open_id))` performs internal identity resolution without user-facing disclosure, and the related CLI argument is suppressed from help output. Hidden identity processing is dangerous because it can enable covert linkage of requests to user accounts and support unauthorized access to account-scoped data without informed consent or visibility.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code reads arbitrary local video files into memory and submits their contents to a server-side analysis API, but this file contains no user-visible disclosure, consent gate, or transmission warning. In a skill handling pet transport videos, those files may contain sensitive household, travel, or identifying information, so silent upload creates a privacy and data-handling risk even if the functionality is expected.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill forwards user-supplied remote video URLs directly for backend analysis without warning the user that the URL will be transmitted to another service. While the user is already providing a network resource, the absence of disclosure can still expose private or signed URLs, internal resource locations, or access tokens embedded in query strings.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
`FileUtil.open(path)` opens arbitrary paths for writing with no validation, sandboxing, or user disclosure. If attacker-controlled input ever reaches this helper, it can overwrite files within the agent's permissions, enabling data loss, tampering, or persistence. In a shared utility file, this risk propagates to any skill that reuses it.

Missing User Warnings

Low
Confidence
79% confidence
Finding
`mkdir(path)` creates directories at arbitrary paths without validation or disclosure. On its own this is lower impact than arbitrary file writes, but if path input is attacker-controlled it can be used to prepare filesystem locations for later abuse or to pollute the workspace. In a utility shared across skills, silent persistence behavior is still a trust-boundary concern.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code reads identity-related data from `OPENCLAW_WORKSPACE`, local workspace files, and other ambient sources without any user-facing disclosure. That can silently bind requests to an internal identity or secret-bearing file, which is outside the normal expectation for a pet video analysis skill. The hidden use of local identity state increases privacy risk and makes behavior dependent on the runtime environment in non-obvious ways.

Missing User Warnings

High
Confidence
98% confidence
Finding
The helper posts identity data such as `openId` and `mobile` to a remote backend without an explicit user-facing warning or consent step. Sending identifiers off-box is especially sensitive when the skill's declared purpose is local or server-side respiratory analysis of pet videos, not user account operations. This mismatch makes the behavior more dangerous because users are unlikely to anticipate personal identity transmission.

Missing User Warnings

High
Confidence
97% confidence
Finding
This generic request utility silently adds authentication headers, tenant/platform metadata, usernames, and request payloads to outbound network calls. As shared infrastructure, it can cause broad undisclosed exfiltration of user and environment-derived data across many code paths. In the context of a narrowly described pet-health monitoring skill, this hidden networking and credential propagation is a substantial overreach and increases supply-chain risk.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
96% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2