Back to skill

Security audit

Pet Training Command Execution Recognition | 宠物训练指令执行识别(坐/卧/等)

Security checks across malware telemetry and agentic risk

Overview

The skill’s pet-video analysis is coherent, but it silently creates or reuses an account identity, stores tokens locally, and sends videos, URLs, and history requests to cloud APIs.

Install only if you are comfortable with pet/home videos or video URLs being processed by the publisher’s cloud service, with the skill automatically creating or reusing an account identity, and with access tokens being stored in a local workspace database. Avoid private camera footage unless you trust the service’s retention and access controls, and review or clear the workspace data directory if you uninstall.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and documents capabilities to read/write local files, invoke shell commands, use environment-derived identity, and access the network, but it declares no explicit permissions. This creates a transparency and governance gap: reviewers and users cannot accurately assess the skill’s authority, while the workflow includes automatic file saving and remote API access.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented behavior expands from simple posture-command analysis into cloud-based historical report retrieval and report-link generation. This is a scope expansion because it introduces additional data access and disclosure paths beyond the core advertised function, increasing the chance of unintended access to prior records or metadata.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script includes a hidden `--list` mode that retrieves account-scoped analysis history, which is outside the declared single-video command-execution workflow. Undocumented alternate flows increase the attack surface and can enable unauthorized or unexpected access to previously generated user data, especially when paired with implicit identity resolution.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill resolves an internal `open_id` and uses it to retrieve account-scoped output data, even though the stated function is just analysis of a provided video. Tying a simple media-analysis tool to hidden identity-based data access creates a privacy and authorization risk, because it may expose another user's historical results or let the tool operate on account context the user did not knowingly supply.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The pet-training skill config includes `DETAIL_EXPORT_URL` pointing to a health-report export API, which is unrelated to the declared video posture/command-analysis purpose. This indicates cross-domain endpoint reuse or over-privileged configuration that could expose sensitive medical report export functionality to the wrong skill context, increasing the risk of unauthorized access or data leakage if the endpoint is reachable through this skill.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Embedding a medical/health report export capability in a pet-training analysis module violates least privilege and creates an unexpected path to sensitive functionality. In this skill context, the mismatch makes the finding more dangerous because users and reviewers would not expect health-data export behavior in a pet-training workflow, which can hide accidental exposure or unauthorized invocation opportunities.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill exposes a history-listing function via `show_analyze_list()` that is not described in the skill metadata, expanding capability from one-off pet video analysis into retrieval of prior analysis records. Undisclosed data-access features increase privacy risk because users and integrators may not expect the skill to enumerate stored history tied to an identity context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code resolves a hidden `open-id` identity context and then uses `ConstantEnum.CURRENT__OPEN_ID` for listing analysis history, even though identity handling is not justified by the stated pet-video posture analysis purpose. Hidden identity coupling is dangerous because it enables user-specific data retrieval and correlation without transparent user-facing disclosure or clear consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill includes a generic `ai_chat` capability intended to invoke an external `openclaw agent`, which is unrelated to the manifest's stated purpose of pet training video posture/command analysis. Even though the subprocess call is currently commented out, the presence of this latent capability broadens the trust boundary and creates an unnecessary pathway for external command/agent invocation if later enabled.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This utility layer silently creates or rehydrates user identities, obtains tokens from a remote service, and persists them locally, even though the declared skill purpose is pet-training video analysis. That creates an unnecessary identity-management side channel and can cause undisclosed account linkage, credential storage, and network activity unrelated to the user’s expected action.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code reads a workspace data file for an API/open-id value and falls back to scanning a local user database to select or create a default identity. For a pet-video analysis skill, this is over-privileged behavior that expands access to local state and user identity data beyond the stated need, increasing privacy and account-misuse risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The default trigger is broad enough to auto-invoke the skill whenever a user provides a relevant video URL or file, without requiring sufficiently specific intent. In a skill that can save attachments locally and send content to server-side APIs, overbroad triggering raises the risk of unintended data handling and privacy-impacting actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that local files and network URLs may be used with server-side APIs, but it does not clearly warn users that their media and referenced remote resources are sent to cloud services. This omission undermines informed consent and can expose sensitive household, location, or behavioral data embedded in pet training videos.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow says uploaded attachments are automatically saved as local files, but there is no user-facing notice about this persistence or its retention and access implications. Automatic local storage increases exposure to accidental disclosure, cross-session leakage, or misuse by other components with filesystem access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill accepts either a local file path or a remote URL, then uploads the file contents or forwards the URL to a backend analysis service without any user-facing disclosure, confirmation, or trust boundary checks in this code path. In this context, the input is a pet-training video, which may still contain sensitive household imagery, audio, location clues, or private camera footage; additionally, accepting arbitrary remote URLs can cause the backend to fetch attacker-controlled resources, increasing privacy and SSRF-style exposure depending on server behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script accepts a hidden `--api-key` parameter suppressed from help output, allowing credential injection and backend access behavior that is not disclosed to users. Concealed credential handling is risky because it can bypass transparency expectations, complicate auditing, and enable silent use of privileged backend functionality.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The analysis path sends a local file path or remote URL into `skill.get_output_analysis(...)`, which by description invokes a server-side API, but the script does not clearly disclose that user-supplied content may be transmitted off-device. In a pet-training context this can expose private home videos, timestamps, and possibly network locations, making the lack of explicit network/data-transfer notice a meaningful privacy and trust issue.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
FileUtil.open() opens any supplied path for writing with no validation, confinement, or safety checks. If untrusted input can reach this helper elsewhere in the skill ecosystem, it can enable arbitrary file overwrite, data corruption, or planting of files in sensitive workspace locations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The request helper automatically injects user identifiers and authentication tokens into outbound HTTP requests, with no per-request consent or feature scoping. In the context of a pet-training video analysis skill, this broad, hidden transmission of identity and credential material is more dangerous because it exceeds the minimal data expected for video inference and can leak or misuse account context across endpoints.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
95% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2