Back to skill

Security audit

Respiratory Symptom Smart Recognition Tool | 呼吸道症状智能识别工具

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent cloud respiratory-analysis tool, but it handles sensitive health media, cloud report history, and persistent user tokens with too little user control.

Install only if you are comfortable sending respiratory/health-related videos or URLs to the publisher's cloud service and letting the skill create or reuse a local identity with stored API tokens for report history. Prefer explicit user confirmation before uploads or history lookups, and avoid using it on shared workspaces unless identity and stored-token handling are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (31)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
78% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
78% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes local scripts, handles local files, writes outputs, and performs remote API calls, yet declares no permissions or trust boundaries. This creates a transparency and enforcement gap: an agent or reviewer cannot accurately assess that the skill can read/write files, use shell execution, access environment-derived identity, and send data over the network.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documentation adds an automatic cloud historical-report query path that is not necessary for simple local respiratory symptom recognition. This expands the skill from media analysis into remote data retrieval tied to user history, increasing privacy exposure and creating a broader attack surface for unintended data access.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill silently reuses or creates a default local user identity and associates reports to that identity without user visibility. Hidden identity binding can cause cross-user data leakage, unauthorized report access, and privacy violations, especially on shared systems or when upstream identity is absent or incorrect.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The manifest frames the skill as symptom recognition and alerting, but the workflow expands behavior to automatic local file saving and remote retrieval of report links. This mismatch reduces informed consent and can lead users or orchestrators to authorize a narrower function than the skill actually performs.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The CLI contains hidden identity resolution and a history-listing path that are not part of the advertised symptom-analysis function. Because it initializes an internal user identity and can enumerate prior analysis records, it expands the skill into account-scoped data access, which is risky for a health-related tool handling potentially sensitive medical information.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code exposes account-scoped listing/export-related behavior even though the skill is presented as a vision-based respiratory symptom detector. This mismatch is dangerous because users and reviewers may not expect access to prior health-analysis records, increasing the chance of undisclosed collection or retrieval of sensitive data.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill accepts arbitrary http/https URLs and forwards them to the backend analysis service without constraining domain, ownership, or trust level. This expands the skill from local respiratory-video analysis into a generic remote content fetch capability, which can enable unintended data access patterns, internal URL targeting by the downstream service, or analysis of untrusted third-party content beyond the stated skill purpose.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill exposes report listing and report export URL generation features that are not described in the manifest’s narrow symptom-recognition purpose. This increases the accessible data surface and may reveal prior analysis records or report artifacts to callers who only expected one-shot video analysis, creating privacy and authorization risks if underlying access controls are weak or absent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script exposes a history-listing capability keyed by open_id, which expands functionality beyond stated video symptom analysis into retrieval of prior user analysis records. If OpenIdUtil.resolve_current_open_id or the downstream API does not strictly enforce caller authorization, this creates an insecure direct object reference/privacy exposure path where a user may enumerate or access another user's historical health-related analysis metadata.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file implements a generic API wrapper with broad CRUD and arbitrary HTTP methods (`http_get`, `http_post`, `http_put`, `http_delete`) that can call caller-supplied URLs, which is materially broader than a respiratory symptom recognition skill needs. In the context of an agent skill, this creates a capability expansion risk: the skill can be repurposed to access unrelated remote services, move data off-platform, or interact with backend APIs outside the declared medical-analysis scope.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The `get_user_by_username` capability introduces user-account lookup functionality unrelated to respiratory event detection. Even without direct modification features, account enumeration or identity correlation can expose personal information and enable misuse when embedded in a health-oriented skill whose declared purpose does not justify identity lookup.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file defines a User model and UserDao that create, query, update, and delete account-like records, including default-user selection logic, despite the skill being described as respiratory symptom recognition. This is dangerous because it expands the skill's data scope into identity management and creates a latent capability to manipulate user records unrelated to the declared medical-analysis purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The User model stores personal profile data and authentication-like values such as token and open_token without any clear relationship to cough/wheeze detection. Storing unnecessary credentials and PII increases breach impact and creates unjustified retention of sensitive data, particularly risky in a health-related skill context where users may already expect elevated privacy protections.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
DAO initialization automatically creates local database files and schema on startup, moving the skill beyond transient analysis into persistent state management. In this skill context, silent persistence broadens the attack surface and can lead to unnoticed accumulation of user and token data unrelated to respiratory event detection.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility code performs account lookup/creation, token management, and arbitrary remote API communication that are unrelated to respiratory symptom recognition. In the context of a medical-analytics skill, hidden identity provisioning and outbound service access significantly expand the attack surface, enable undisclosed data exfiltration, and create opportunities for unauthorized use of external accounts or services.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code reads a local identity file, falls back to local database records, and creates persistent default user identities automatically without any demonstrated need for the stated symptom-recognition functionality. This introduces silent identity persistence and cross-session tracking behavior that can be abused for unauthorized attribution, hidden account linkage, or downstream authenticated API activity.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Workspace discovery and automatic creation of data/skills directories are broad environment-manipulation capabilities that are not justified by the declared respiratory-analysis purpose. In a skill context, such filesystem and workspace awareness can facilitate unauthorized data placement, persistence, or interference with other agent workspaces if combined with other code paths.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases for historical report queries are broad enough to activate on ordinary requests about reports or monitoring, potentially causing unintended cloud lookups. In a health context, accidental retrieval of prior respiratory reports can expose sensitive medical metadata without clear intent confirmation.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill describes video and URL-based analysis plus report querying, but does not clearly warn users that media and related metadata may be transmitted to a remote API for processing. Because the content concerns respiratory symptoms and health monitoring, undisclosed cloud transmission materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The analysis flow sends the provided local file path or remote URL into a backend-driven processing path without any clear user-facing notice that analysis is performed remotely. In a medical-video context, this can result in unexpected transmission of sensitive health data or metadata to external services, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code reads the entire local file and transmits it to an external analysis service, but this file contains no user-facing notice, consent flow, or minimization controls. Because the skill handles potentially sensitive health-related video, silent upload materially raises privacy risk and may violate user expectations around local-file handling.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The configuration exposes a base URL over plain HTTP, which allows traffic to be intercepted or modified by an on-path attacker. Because this skill relates to respiratory symptom monitoring and health anomaly alerts, insecure transport can increase risk to sensitive health-related data, session tokens, or rendered content served through that endpoint.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code creates a SQLite database and alters tables without any user-facing notice, consent, or disclosure. In a health-oriented skill, silent local persistence is more dangerous because users may not expect storage of account or token-related information alongside symptom analysis outputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2