Back to skill

Security audit

Pet Pica Behavior Recognition | 宠物异食行为识别(啃咬电线/塑料)

Security checks across malware telemetry and agentic risk

Overview

This pet video analysis skill is mostly aligned with its purpose, but it quietly creates or reuses persistent identities and tokens while sending indoor-camera media and report data to external APIs.

Review before installing. Use this skill only if you are comfortable uploading pet indoor-camera media or URLs to the publisher's cloud service, and with the skill silently creating or reusing a local account identity, reading a workspace API-key file, storing tokens in a local SQLite database, and querying/exporting historical reports linked to that identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises no explicit permissions, but its documented behavior includes shell execution, network access, environment use, and local file read/write. This hides the true trust boundary from users and reviewers, increasing the chance that sensitive local files or remote resources are accessed without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill claims to perform pet-video analysis, but the documented and inferred behavior extends to persistent identity creation, local database and API-key file access, login/token acquisition, and historical report retrieval. This is a significant capability mismatch that can expose user data, create hidden persistence, and perform account-linked operations beyond what a user would reasonably expect from the description.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The API documentation exposes history pagination and full report export endpoints that go beyond the skill’s stated real-time warning workflow. In a pet indoor-camera context, stored analysis history and exportable reports may contain sensitive household surveillance metadata or derived behavioral records, expanding the data-access surface and increasing privacy risk if these capabilities are enabled without strict authorization and disclosure.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The --list path exposes historical analysis records via skill.get_output_analysis_list(open_id=open_id), which is broader functionality than the declared trigger of analyzing a provided video. If open_id resolution is weak, predictable, or attacker-controlled elsewhere in the skill stack, this creates an information disclosure surface for prior user/job data beyond the current request.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill exposes additional capabilities to enumerate prior analysis reports and construct report export links, which goes beyond the manifest’s stated behavior of analyzing a provided video and issuing a warning. This increases the attack surface and can enable unauthorized access or discovery of historical report metadata and exported report artifacts if upstream authorization is weak or absent.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The script exposes a history-listing function via `--list` that is not described in the skill metadata, expanding behavior from single-video analysis to retrieval of prior analysis records. Hidden or undocumented data-access features increase the risk of unauthorized disclosure, especially because the skill processes indoor camera footage and pet-monitoring history, which may reveal sensitive household information.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file exposes broad generic request primitives and CRUD-style wrappers (`http_get`, `http_post`, `http_put`, `http_delete`, `add`, `edit`, `delete`, `page`, `list`) that are not constrained to the stated pet pica video-analysis purpose. In an agent-skill context, such reusable arbitrary HTTP capabilities expand the skill's authority and can be repurposed to access unrelated internal or external APIs, increasing the risk of data exfiltration, unauthorized actions, or SSRF-like abuse if higher layers pass attacker-controlled URLs or parameters.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The module defines persistent user-account storage, including identifiers and account metadata, that is broader than the pet-video hazard-detection skill's declared function. Unnecessary identity persistence increases privacy and compliance risk because a compromise or misuse of the local SQLite database would expose personal data unrelated to the stated feature set.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The User model stores token and open_token fields locally in SQLite despite the skill being described as video analysis for pet pica recognition. Persisting authentication tokens without a demonstrated need expands the blast radius of any local file disclosure, backup leak, or cross-skill workspace access, potentially enabling account takeover or unauthorized API use.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The request utility silently provisions identities, retrieves or creates accounts via /sys/phoneLogin, and persists tokens locally before making API calls. That behavior materially exceeds the manifest's stated pet-video analysis function and creates an undisclosed authentication/identity side channel that can register accounts and associate user activity with locally stored credentials.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code enumerates workspace structure, agent identity, and environment variables to discover data and skills directories, which is unrelated to simple pet pica video analysis. This broadens the skill's reach into the local agent environment and can facilitate unintended access to files, persistence locations, or cross-skill data not needed for the declared purpose.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The OpenId utility reads internal identity material from data/smyx-api-key.txt, looks up default users in a local database, and creates persistent replacement identities when none exist. For a video-warning skill, this undisclosed local identity persistence is excessive and creates a durable tracking/authentication mechanism beyond the user's apparent intent.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The default trigger is broad enough to activate on generic video-analysis requests, which can cause the skill to run in contexts the user did not specifically intend. Because this skill may upload local videos or fetch network URLs for server-side processing, over-triggering increases the risk of unnecessary data exposure and unintended external API calls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description says local files or remote URLs are sent to server-side APIs, but it does not provide a clear privacy notice or explicit warning that user media may be transmitted off-device. Indoor camera footage is highly sensitive, so silent cloud transfer materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document specifies API key authentication and report export endpoints but provides no warning about handling potentially sensitive video-derived data from indoor pet cameras. Because the skill operates on in-home monitoring footage, missing privacy and data-handling guidance can lead to overbroad access, insecure integrations, or unsafe export of reports containing sensitive household information.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill accepts either a local file or remote URL and sends the content to server-side analysis without any user-facing disclosure in this code path that the video will be uploaded or fetched remotely. Because the skill processes indoor camera footage, the privacy sensitivity is high; users may unknowingly transmit sensitive household imagery or cause the backend to retrieve third-party URLs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill reads an internal identity/API-key file from the workspace without any evidence of user-facing notice, consent, or scoping to the declared pet-monitoring task. Secret or identity-file access can silently bind the skill to a broader account context and expose users to hidden data use or billing consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
HTTP requests include persistent identifiers and authentication tokens (for example pnaUserName, X-Access-Token, X-Api-Key, Authorization) with no visible user-facing disclosure. In the context of a pet camera analysis skill, transmitting identity-linked metadata beyond what is necessary for video inference creates unnecessary privacy and account-linkage risk.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
90% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
|---|---|
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 视频要求:支持 mp4/avi/mov 格式,最大 10MB |
| 🧑‍⚖️ 结果性质 | 推荐结果仅供安全监测参考,不提供疾病诊断 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能用技能本身的脚本 |
| 🌐 网络地址 | 传入的网络地址参数,不需要下载本地,默认地址都是公网地址,API 服务会自动下载 |
| 🔎 使用提醒 | 预警信号由智能家居安防设备(智能音箱 / 宠物摄像头)基于本技能输出结果触发,本技能仅负责输出干预建议 |
Confidence
72% confidence
Finding

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: "smyx-pet-pica-behavior-recognition-analysis"
description: "Triggers when a user provides an indoor camera video for analysis; supports local uploads or network URLs to call server-side APIs for pet pica-behavior recognition, detecting contact between the pet's mouth and non-food hazardous items (electric wires, plastic bags, socks, tissues, toy fragments, etc.); when the contact lasts ≥ 2 seconds, outputs a warning signal to help prevent intestinal obstruction, electric shock and other dangers (without diagnosing diseases). Application scenarios: indoor cameras, pet safety monitoring, smart-home security. | 当用户提供室内监控视频时,触发本技能进行异食行为识别;支持通过上传本地视频或网络视频URL,调用服务端API检测宠物嘴部与电线、塑料袋、袜子、纸巾、玩具碎片等非食物物品的接触动作;持续接触 ≥ 2 秒时输出预警信号,预防肠梗阻、触电等危险(不诊断疾病)。应用场景:室内摄像头、宠物安全监控、智能家居安防。"
version: "1.0.6"
license: "MIT-0"
---
Confidence
78% confidence
Finding
description:; ‍

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2