Back to skill

Security audit

Pet Eating Speed Slow Feed Analysis | 宠物进食速度检测与慢食干预

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised cloud pet-video analysis, but it also silently creates or reuses an identity, contacts a login/registration service, and stores authentication tokens locally for API/history access.

Review before installing. Use it only if you are comfortable sending pet or home video content to the Life Emergence/SMYX backend and allowing the skill to create or reuse a local identity, register/login silently, and store API tokens in the workspace data directory. Avoid sensitive household footage unless the backend’s privacy, retention, and account controls are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (21)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
70% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
70% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and instructs use of shell execution, file read/write, network access, and environment-backed behavior, but declares no permissions or trust boundaries. This creates a transparency and governance gap: users and hosts cannot accurately assess what the skill can do before it handles local files, remote URLs, and backend API calls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior exceeds the stated pet-video analysis purpose by adding cloud history enumeration, backend identity creation/lookup, local SQLite persistence, and silent account provisioning. That mismatch is dangerous because users may consent to video analysis without understanding that the skill also manages identities and accesses/reporting data beyond the immediate task.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
Adding cloud historical-report querying extends the skill beyond one-shot analysis into account-linked data retrieval, which changes the privacy and authorization risk profile. In this context, history access can expose prior analyses and report metadata without that broader scope being clearly declared up front.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The tool presents itself as a single-purpose feeding-speed analyzer, but also exposes a hidden `--list` retrieval path that returns prior pet health analysis records. Because this operation is not clearly disclosed in the user-facing interface and relies on an internal identity context plus optional caller-supplied `open_id`, it can enable unintended access to historical pet-health data and expands the skill beyond its declared purpose.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The comment says identity is initialized internally without requiring user input, yet the code accepts `args.open_id` and passes it into `OpenIdUtil.resolve_current_open_id(...)`. This mismatch is security-relevant because it suggests the code may allow caller influence over identity selection, which can lead to impersonation or unauthorized access to another user's analysis history if downstream checks are weak.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This service exposes broad generic HTTP and CRUD wrappers (`http_get`, `http_post`, `http_put`, `http_delete`, `add`, `edit`, `delete`, `page`, `list`) that are not constrained to the stated pet eating-speed analysis purpose. In a skill that accepts user-provided uploads and network URLs, such generic request primitives can be reused by other code paths to access unintended internal or external endpoints, expanding the attack surface and enabling abuse such as unauthorized API access or SSRF-style behavior if inputs are not strictly controlled elsewhere.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file defines persistent user-account storage with fields like username, realname, email, birthday, token, and open_token, even though the skill is described as pet eating-speed video analysis. Collecting and retaining unrelated identity and token data increases privacy and credential-exposure risk, especially in a shared local SQLite database used across agents.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The DAO implements broad CRUD, schema migration, and deletion capabilities for user records rather than narrowly supporting feeding-speed video analysis. This mismatch expands the attack surface and enables unnecessary handling of personal data in a skill whose stated purpose does not justify such capabilities.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file defines an `ai_chat` capability that is unrelated to the advertised pet feeding-speed video analysis functionality. In agent skills, unnecessary general-purpose LLM/chat surfaces expand attack surface, can be abused for unintended data processing or prompt handling, and indicate possible hidden or repurposed behavior beyond the declared scope.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This utility code creates, resolves, and persists user identities and tokens that are unrelated to the stated pet feeding-speed video analysis purpose. That creates hidden identity state and cross-session tracking behavior, increasing privacy risk and enabling unexpected account linkage or API use under an implicitly created user identity.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The HTTP helper silently auto-registers or logs in a user against a health-service endpoint using generated or recovered identifiers whenever tokens are absent. For a pet eating-speed analysis skill, this is materially out of scope and dangerous because it can create external accounts and transmit identity data without a clear user action or disclosure.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The auto-trigger phrases for history queries are broad enough to fire on ordinary requests, which can cause unintended backend data retrieval. In a skill that links reports to internal identities, over-broad triggering raises privacy risk by initiating cloud lookups the user may not have intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation says local files and supplied URLs are processed by server-side APIs, but it does not present a clear user-facing warning that media and remote resource references are sent to cloud services. That omission undermines informed consent and can expose sensitive household video content or metadata unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads arbitrary local video files into memory and sends their contents to a server-side analysis API, but this file contains no user-facing consent, disclosure, or trust-boundary warning before exfiltrating potentially sensitive pet/home video data. In this skill context, the input may capture private household interiors, people, audio, or metadata in addition to the bowl area, so silent transmission creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code reads an identity value from data/smyx-api-key.txt and uses it as an internal open-id without any visible user disclosure in this component. This can silently bind requests to a local credential-like identity, creating privacy and authorization concerns if users do not expect local files to determine remote identity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This request helper attaches token-bearing headers and user identity fields to outbound HTTP requests without any indication in this file of user-facing disclosure or consent. Because the skill is described as pet video analysis, hidden transmission of identifiers and auth tokens is especially risky and exceeds what a user would reasonably expect from the declared functionality.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
94% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
|---|---|
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 视频要求:支持 mp4/avi/mov 格式,最大 10MB,建议覆盖完整进食过程 |
| 🧑‍⚖️ 结果性质 | 分析结果仅供健康参考,不提供疾病诊断或治疗建议 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能用技能本身的脚本 |
| 🌐 网络地址 | 传入的网络地址参数,不需要下载本地,默认地址都是公网地址,API 服务会自动下载 |
| 🔎 使用提醒 | 干预信号(慢食隔板弹出 / 语音提醒)由设备端基于本技能的输出结果实施,本技能仅负责输出干预建议 |
Confidence
87% confidence
Finding

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: "smyx-pet-eating-speed-slow-feed-analysis"
description: "Triggers when a user provides a video of the pet food-bowl area for analysis; supports local uploads or network URLs to call server-side APIs for eating-speed detection, recording start/end timestamps of feeding, estimating eating speed (g/s and seconds-per-bowl), and when the speed falls below the safety threshold (e.g. < 30 sec/bowl) emitting an intervention signal (slow-feed baffle pop-up or voice prompt) to prevent choking and vomiting (without diagnosing diseases). Application scenarios: smart slow-feeder bowls, pet health management, canine care. | 当用户提供食盆区域视频时,触发本技能进行进食速度检测分析;支持通过上传本地视频或网络视频URL,调用服务端API记录进食开始/结束时间,计算进食速度(克/秒),当低于安全阈值(例如 < 30 秒/碗)时触发外部干预信号(智能慢食碗隔板弹出、语音提醒),预防噎食与呕吐(不诊断疾病)。应用场景:智能慢食碗、宠物健康管理、犬类护理。"
version: "1.0.5"
license: "MIT-0"
---
Confidence
86% confidence
Finding
description:; ‍

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2