Back to skill

Security audit

Pet Grooming Stress Behavior Analysis | 宠物美容过程应激行为识别

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised cloud video analysis, but it also silently creates or reuses an identity and stores authentication tokens locally for remote history access.

Install only if you are comfortable uploading grooming videos or supplied URLs to the LifeEmergence/Open API service and allowing the skill to create or reuse a local identity, register/login silently, and store service tokens in the workspace data database. Avoid sensitive customer footage or internal URLs unless the publisher provides clear retention, deletion, and authentication documentation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Findings (21)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
72% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
71% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises capabilities to read/write files, access environment data, invoke shell commands, and perform network requests, yet declares no permissions or user-facing safeguards. This creates a transparency and governance gap: users and hosting platforms cannot accurately assess what the skill will do with uploaded files, provided URLs, or local state before execution.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes automatic identity initialization, fallback to a default local user, and creation/reuse of a local identity, even though that behavior is not necessary for pet grooming stress analysis itself. This can silently bind reports and uploaded media to the wrong account, enable cross-user data leakage, and create hidden state that users are not aware of or able to verify.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exposes a history-listing feature via `--list` and `show_analyze_list()` that is not part of the stated skill purpose of analyzing a provided grooming video. Expanding functionality to enumerate prior analyses increases the attack surface and can leak sensitive prior user activity or results, especially because it operates on an internal user identity rather than a clearly consented session scope.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code initializes internal user identity state with `OpenIdUtil.resolve_current_open_id(...)` and then uses `ConstantEnum.CURRENT__OPEN_ID` to fetch per-user history, despite the skill being described as a video-analysis tool. Hidden identity binding for unrelated data access creates privacy risk and may allow access to user-scoped historical records without sufficient notice or justification.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exposes a `--list` mode that retrieves prior analysis history via `skill.get_output_analysis_list(open_id=...)`, but the skill’s stated purpose is single-video stress analysis. This creates an undocumented data-access surface that could reveal prior user activity or analysis records, increasing privacy and authorization risk if history access is not strictly constrained server-side.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code resolves and uses an identity-linked `open_id` to access user-scoped history even though identity-based history retrieval is not necessary for one-off video analysis. Tying an internal identity token to a hidden history feature raises the risk of unintended cross-session data exposure, especially if `open_id` can be influenced or if current identity resolution is ambiguous.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file defines a generic sys_user persistence layer inside a skill whose declared purpose is pet grooming stress analysis. That mismatch is suspicious because it expands the skill's data-handling scope to account-like records without a clear functional need, increasing the chance of unauthorized retention, cross-feature data access, or hidden identity tracking.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The User model persists token and open_token values locally even though the skill is supposed to analyze grooming-session videos. Storing authentication-style secrets unrelated to the stated function creates unnecessary credential exposure risk: compromise of the local SQLite file could leak reusable tokens and enable account takeover or unauthorized API access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility layer performs identity resolution, token loading, token persistence, and authenticated request setup that goes well beyond pet grooming stress-video analysis. In this skill context, hidden account bootstrapping and credential handling expand the trust boundary substantially and can cause unauthorized use of a platform account, silent data sharing, or cross-skill identity reuse without explicit user consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code automatically derives or creates an open-id from local files or a local database, then reuses it as a default identity. For a video-analysis skill, silently manufacturing or selecting a user identity is dangerous because it enables actions to be attributed to a user without clear authorization and creates a hidden linkage between local state and remote service access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill accepts local files and network URLs and states that server-side/cloud APIs are used, but it does not give a clear warning that user-provided media and remote resource references will be transmitted to external services for analysis and history queries. This undermines informed consent and may expose sensitive videos, internal URLs, or customer data to third-party infrastructure without adequate notice.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The comment and implementation show that internal identity is resolved without requiring visible user input and is hidden from help output, which undermines informed consent and transparency. In a skill handling pet-care videos that may include customer environments, silently associating requests with internal identifiers can create unjustified tracking and privacy exposure.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code reads the entire local video file into memory and sends it to a server-side analysis API, but this file likely contains sensitive visual data from pets, owners, homes, clinics, or businesses. There is no user-facing disclosure, consent check, destination transparency, or minimization in this code path, which creates a privacy and data-handling risk if users do not realize their footage is being uploaded to a remote service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When debug mode is enabled, urllib3/http.client logging is turned on globally, which can expose URLs, headers, request bodies, and response content in logs. Because this same utility handles tokens and identity-bearing requests, the logging behavior can leak sensitive authentication or user data during normal troubleshooting.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The utility reads an identity value from a workspace file and uses it as an internal identity source without clear disclosure or validation. This is sensitive local data access, and in combination with later authentication flows it can silently bind the skill's network actions to a locally stored identifier the user may not expect to be used.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The request path silently performs token recovery and, if needed, network login/registration using a derived username before making the requested API call. This creates undisclosed authentication side effects and can register or authenticate accounts on behalf of the user without a clear prompt, which is especially risky for a skill whose advertised purpose is only video stress analysis.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
96% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
|---|---|
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 视频要求:支持 mp4/avi/mov 格式,最大 10MB |
| 🧑‍⚖️ 结果性质 | 分析结果仅供行为观察参考,不提供疾病诊断或行为矫正方案 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能用技能本身的脚本 |
| 🌐 网络地址 | 传入的网络地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载 |
| 🔎 使用提醒 | 猫和狗的应激行为表现差异较大,分析时会结合宠物类型调整判定标准 |
Confidence
78% confidence
Finding

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: "smyx-pet-grooming-stress-behavior-analysis"
description: "Triggers when a user provides a pet grooming session video URL or file for analysis; supports local video uploads or network URLs to call server-side APIs for stress behavior recognition, detecting struggling, panting, tail tucking and other stress signals during grooming, outputting stress level grading to help groomers intervene promptly. Application scenarios: pet grooming shop cameras, veterinary clinics, pet care services. | 当用户提供宠物美容过程视频URL或文件时,触发本技能进行应激行为分析;支持通过上传本地视频或网络视频URL,调用服务端API进行识别,检测挣扎、张口喘气、尾巴夹紧等应激行为信号,输出应激等级,帮助美容师及时干预,减少宠物应激伤害,提升服务体验。应用场景:宠物美容店摄像头、宠物医院、宠物护理服务。"
version: "1.0.5"
license: "MIT-0"
---
Confidence
74% confidence
Finding
description:; ‍

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2