Back to skill

Security audit

Pet Hospital Waiting Anxiety Level Analysis | 宠物医院候诊焦虑等级评估

Security checks across malware telemetry and agentic risk

Overview

The skill’s video analysis purpose is mostly coherent, but it silently creates and reuses identity/account state, stores tokens locally, and performs cloud history/report access in ways users should review before installing.

Install only if you are comfortable with this skill uploading selected waiting-area media to lifeemergence.com services, automatically creating or reusing an internal user identity, storing service tokens in a local workspace SQLite database, and retrieving cloud history/report records tied to that identity. Review the provider, endpoint trust, retention expectations, and whether clinic footage may include owners, staff, or bystanders before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation instructs use of shell execution, local file handling, environment-backed identity initialization, and network/API access, yet no permissions are declared in the manifest. This creates a capability-transparency gap: reviewers and users cannot accurately assess that the skill can read/write files, invoke commands, and send user-provided media or URLs to remote services.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest describes anxiety analysis of user-provided pet videos, but the body expands behavior to cloud-based historical report retrieval and report-link output. That scope expansion matters because it introduces access to potentially sensitive stored data and remote report enumeration that users may not expect from the manifest alone.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented endpoints materially exceed the skill’s declared purpose of waiting-area pet anxiety scoring by including generic health-analysis history, pagination, and full report export capabilities. This creates a scope mismatch that can expose broader medical-style data access patterns, increasing the risk of unauthorized retrieval or overcollection of sensitive pet/owner records if the skill or its backend is wired to these APIs.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script includes a hidden history-listing path via --list and an undisclosed open-id flow that is outside the manifest’s described single-video anxiety analysis behavior. If access control is weak in the underlying skill methods, a user could enumerate or retrieve prior analysis records for an identity, creating unauthorized data exposure and function creep beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill implements a report-listing function that goes beyond the declared purpose of analyzing a user-provided video. Enumerating prior reports can expose metadata or results from other analyses, increasing the chance of unintended data disclosure if access control is weak or absent upstream. In a pet-hospital context, these reports may contain sensitive operational or customer-related information, making this capability more risky than a narrow single-request analysis flow.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The code generates export URLs for analysis reports, effectively enabling retrieval or sharing of report artifacts beyond the stated analysis-only behavior. If these URLs are guessable, long-lived, or not access-controlled, they could leak report contents to unauthorized parties. The risk is somewhat limited by the snippet not showing direct exfiltration, but it still expands data exposure surface.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script exposes a history-listing capability through `show_analyze_list(open_id, ...)` that goes beyond the stated skill purpose of analyzing a provided video. This expands the data surface from one-shot analysis to retrieval of prior analysis records, which can leak sensitive behavioral data or metadata if access control is weak or the current OpenID resolution is manipulated elsewhere in the stack.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The CLI supports a `--list` mode that bypasses the normal requirement to provide a video and instead retrieves historical analysis data. Because this mode is not aligned with the advertised per-video analysis behavior, users or higher-level agents may invoke it unexpectedly, creating an information disclosure path and violating least surprise and least privilege expectations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This file exposes broad generic CRUD and raw HTTP helper methods that are not scoped to the stated pet anxiety video-analysis purpose. In a skill that may process user-supplied URLs/files and call server-side APIs, such generic wrappers can be reused by other skill components to reach unintended internal or external endpoints, expanding the attack surface and enabling misuse beyond the declared function.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file implements a shared user/account database layer, including token-bearing user records, even though the declared skill is pet waiting-room anxiety video analysis. This capability expands the data-access surface beyond the stated purpose, increasing the chance of unnecessary collection, retention, or cross-skill exposure of user identity and authentication data.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The DAO initializer automatically creates and mutates a local SQLite schema, including ALTER TABLE operations, which is unrelated to the narrow video-analysis purpose described for the skill. This introduces persistent state and schema-management behavior that can retain sensitive data, create cross-run side effects, and broaden the blast radius if the skill is compromised or misused.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This utility code manages persistent user identity resolution and token-adjacent state that is unrelated to the declared pet-video anxiety analysis purpose. It silently derives identities from workspace files and local databases, then reuses them across requests, which expands the skill's effective scope into account handling and creates hidden identity linkage and privacy risks.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The HTTP helper can automatically register or log in users against an external health platform via /sys/phoneLogin using derived identifiers, which is materially beyond the stated function of analyzing pet waiting-room videos. This creates undisclosed external account activity, token issuance, and cross-service identity binding, all of which are dangerous if the user did not knowingly authorize such actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad trigger phrases for history-report queries can cause the skill to activate on generic requests and automatically call cloud APIs. In context, this is risky because the feature is tied to internally managed identity and historical report access, increasing the chance of unintended data retrieval or disclosure beyond the user's immediate request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that local uploads and network URLs are sent to server-side APIs, but it does not provide a clear user-facing warning about transmission, retention, third-party processing, or privacy implications. Because the media may contain pets, owners, staff, clinic interiors, and report metadata, silent transfer to remote services can expose sensitive operational or personal data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
For local inputs, the skill reads the entire file and sends it to a server-side analysis API without any user-facing notice or consent mechanism in this code path. Video files from a veterinary waiting area may contain owners, staff, or bystanders, so silent transmission can create privacy and compliance issues even if the transfer is functionally necessary. The contextual sensitivity of real-world surveillance-like footage makes this more dangerous.

Missing User Warnings

Medium
Confidence
70% confidence
Finding
The script accepts a hidden `--api-key` parameter suppressed from help output, which obscures the fact that credentials may be passed to the tool and that outbound service access may occur. Hidden credential-bearing parameters increase the risk of accidental secret exposure in command history, orchestration logs, or agent integrations, especially when the skill also supports network URL processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code reads an internal identity value from data/smyx-api-key.txt without any user-facing notice or consent flow. In the context of a video-analysis skill, silently harvesting a workspace-stored identifier is an unnecessary hidden data dependency that can cause identity misuse, privacy leakage, and unexpected attribution of downstream API actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This request wrapper attaches user identifiers and authentication tokens to outbound HTTP requests and may also augment request bodies with tenant and username data, without any visible user disclosure. Because the advertised skill is limited to pet anxiety analysis, hidden transmission of identity and token data to external services materially increases privacy and account-security risk.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
95% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 视频要求:支持 mp4/avi/mov 格式,最大 10MB |
| 🔎 使用提醒 | 拍摄角度建议正面或侧前方,覆盖头部与躯干;避免逆光、剧烈晃动或宠物完全被笼具遮挡 |
| 🧑‍⚖️ 结果性质 | 分析结果仅供候诊流程参考,不提供疾病诊断或治疗方案 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能用技能本身的脚本 |
| 🌐 网络地址 | 传入的网路地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载 |
| 🔎 使用提醒 | 焦虑等级综合多种行为信号估算,宠物个体差异、品种特性(如短鼻犬天然喘气重)可能影响判断,临床决策请结合现场观察 |
Confidence
93% confidence
Finding

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: "smyx-pet-hospital-waiting-anxiety-analysis"
description: "Triggers when a user provides a pet hospital waiting area video URL or file for analysis; supports local video uploads or network URLs to call server-side APIs for anxiety-related behavior recognition, detecting open-mouth panting intensity, limb/torso trembling amplitude, ear-flattening degree and other stress signals, outputting a standardized anxiety level (1-5) to help medical staff identify high-stress pets and prioritize care or comfort (without diagnosing diseases or prescribing treatment). Application scenarios: pet hospital waiting areas, veterinary clinics, pet care institutions. Development reason: optimize visit workflow and reduce stress-related harm. | 当用户提供候诊区宠物视频的URL或文件时,触发本技能进行焦虑行为信号分析;支持通过上传本地视频或网络视频URL,调用服务端API检测张口喘气强度、四肢/躯干颤抖幅度、耳朵后贴程度等应激信号,综合输出标准化焦虑等级(1-5级),帮助医护人员识别高应激宠物并优先安排就诊或安抚(不诊断疾病、不提供治疗方案)。应用场景:宠物医院候诊区、动物诊所、宠物护理机构。"
license: "MIT-0"
---
Confidence
90% confidence
Finding
description:; ‍

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2