Back to skill

Security audit

Pet Drying Box Heat Stress Analysis | 宠物烘干箱内热应激预警

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it silently creates or reuses user identity state, stores tokens locally, and sends identity-linked data to remote services with limited user-facing control.

Install only if you are comfortable with pet videos or video URLs being sent to lifeemergence-related APIs, historical reports being queried from the cloud, and a local workspace database storing user identifiers and service tokens. Avoid using it in shared workspaces unless you understand which identity will be reused.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (22)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
84% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
84% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions while its instructions clearly require file read/write, shell execution, environment use, and network access. This mismatch obscures the true capability surface of the skill, making review and consent harder and increasing the risk of unintended data access or outbound transmission.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill expands beyond live heat-stress analysis into cloud-based historical report lookup, which is a broader data-access function than the user-facing purpose suggests. That scope increase can expose prior records and metadata unrelated to the immediate analysis request, especially because it is configured for automatic triggering.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill auto-creates and reuses a local default user identity without clear necessity for the stated video-analysis function. Silent identity persistence can lead to cross-session data mixing, unintended account linkage, and access to another user's historical reports if local defaults are reused improperly.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script includes a hidden `--list` mode that retrieves prior analysis records via `skill.get_output_analysis_list(open_id=...)`, which is outside the advertised single-video analysis behavior. Undocumented data-retrieval paths increase the risk of unauthorized access to historical analysis results, especially because the same file also initializes an internal identity context that may silently scope which records are returned.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code initializes an internal OpenID context through `OpenIdUtil.resolve_current_open_id(...)` even though the stated purpose is only video heat-stress analysis. Binding execution to a hidden identity context can enable access to per-user records or cross-user data exposure without transparent user awareness, which is especially concerning in a pet-care setting that may involve customer-owned media and associated history.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module defines persistent local storage for user/account records in a skill whose declared purpose is pet drying-box heat-stress video analysis. This is a capability-context mismatch: collecting and persisting user identities in a shared local database increases privacy and cross-skill data exposure risk without clear necessity for the advertised function.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The User model stores token and open_token fields alongside identity attributes, which gives the skill credential-handling capability unrelated to pet heat-stress detection. Persisting tokens locally, especially in a shared DAO/database layer, materially raises the risk of credential theft, cross-feature misuse, and unauthorized API access if the workspace or DB is exposed.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The utility reads an internal workspace identity file and, if absent, creates or reuses local user identities unrelated to the advertised pet video heat-stress analysis purpose. This expands the skill's access to local identity material and establishes persistent identity state without clear user consent, creating unnecessary privacy and trust risks.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The request helper silently calls a health-service login/registration endpoint to provision users and obtain tokens before normal API usage. For a pet drying-box analysis skill, covert account creation and identity transmission materially exceed the stated scope and can leak user-linked metadata to external services without informed consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This wrapper injects tenant, skill hub, platform, and username metadata into all outbound requests regardless of whether each destination needs that information. In the context of a narrowly described video-analysis skill, this broad metadata propagation increases privacy exposure and enables unintended cross-service tracking.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill states that uploaded attachments are automatically saved locally and that video content may be sent to server-side APIs, but it does not present a clear user warning about storage, transmission, retention, or third-party processing. For potentially sensitive pet-owner media, this creates a transparency and privacy risk and may lead to data handling users did not expect.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger rules are broad enough to activate on generic report-related phrases, not just clear requests for heat-stress analysis. Overbroad activation can cause unintended access to files or historical cloud data, especially in contexts where the user did not intend this skill to run.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill accepts either a local video file or a remote video URL and forwards that content to server-side analysis APIs, but this file contains no user-facing notice, consent flow, or transparency mechanism about the upload/transfer. Because the content is pet-drying-box video, it may still capture people, private environments, business interiors, or sensitive operational footage, so silent transmission creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Debug mode enables low-level HTTPConnection and urllib3 logging, which can expose request URLs, headers, tokens, and response content in logs. Because this occurs globally and without user-facing disclosure, sensitive authentication or service data may be written to console or log sinks accessible to operators or other processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Reading an identity value from data/smyx-api-key.txt accesses sensitive workspace credential material without any visible disclosure or purpose limitation tied to pet heat-stress analysis. Even if used as an internal identifier, deriving identity from an API key file risks repurposing secrets and normalizing hidden credential access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code automatically sends openId, mobile, source, and registration flags to a remote endpoint as part of silent login/registration behavior. This transmits identity-related data off-box without clear notice, and the skill's pet-video analysis context does not justify hidden registration workflows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The general HTTP helper attaches X-Access-Token, X-Api-Key, Authorization, and username-derived metadata to requests and may also print request/response details in debug paths. This creates broad risk of credential leakage and unnecessary disclosure to external services, especially because the helper is generic and can affect many endpoints.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
97% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
|---|---|
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 视频要求:支持 mp4/avi/mov 格式,最大 10MB |
| 🧑‍⚖️ 结果性质 | 分析结果仅供烘干安全参考,不提供疾病诊断或治疗建议 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能用技能本身的脚本 |
| 🌐 网络地址 | 传入的网路地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载 |
| 🔎 使用提醒 | 检测到高风险或紧急级别热应激信号时,应提示用户立即停止烘干、降低温度、开盖通风并观察宠物状态 |
Confidence
72% confidence
Finding

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: "smyx-pet-drying-box-heat-stress-analysis"
description: "Triggers when a user provides a pet drying box area video URL or file for analysis; supports local video uploads or network URLs to call server-side APIs for pet heat stress signal detection, analyzing open-mouth panting intensity, tongue color (pink/cyanotic), and body movement frequency to identify early heat stress signals, outputting risk levels and supporting auto-cooling or stopping drying. Application scenarios: pet drying boxes, pet grooming stores, pet hospitals. Development reason: prevent heatstroke and improve safety. | 当用户提供宠物烘干箱区域的视频URL或文件时,触发本技能进行烘干箱内热应激预警分析;支持通过上传本地视频或网络视频URL,调用服务端API进行热应激信号识别,分析张口喘气强度、舌体颜色(粉红/紫绀)、身体移动频率,识别热应激早期信号,输出风险等级,支持自动降温或停止烘干。应用场景:宠物烘干箱、宠物美容店、宠物医院。"
version: "1.0.4"
license: "MIT-0"
---
Confidence
69% confidence
Finding
description:; ‍

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2