Back to skill

Security audit

Sick Poultry/Swine Behavior Detection | 病鸡/病猪行为识别

Security checks across malware telemetry and agentic risk

Overview

This is a real cloud video-analysis skill, but it also performs under-disclosed identity, token, account, history, and local persistence actions that users should review before installing.

Install only if you are comfortable with a cloud-backed skill that may upload barn media or submit media URLs, create or reuse a local identity, store token-like account data in the workspace, read a workspace API-key file, query prior reports, and contact Lifeemergence backend endpoints. Ask the publisher to document exact endpoints, identity sources, account-creation behavior, token storage, media retention, deletion controls, and confirmation requirements for history retrieval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
79% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
79% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while its documented behavior clearly involves shell execution, network access, local file reads/writes, and likely environment use. This weakens least-privilege controls and makes review, sandboxing, and user consent harder, especially since the skill also saves uploads locally and invokes backend-connected scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest describes a narrow poultry/pig video analysis skill, but the behavior includes hidden identity creation/reuse, token acquisition, cloud history retrieval, and report export functions not clearly disclosed by the description. This mismatch is dangerous because reviewers and users may authorize a seemingly simple analysis tool that actually performs account-linked remote operations and local persistence.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script exposes a `--list` mode that retrieves historical analysis records via `skill.get_output_analysis_list(open_id=open_id)`, which is outside the skill's stated purpose of analyzing poultry behavior from video. Undocumented data-access functionality increases the attack surface and may enable users or downstream agents to enumerate prior analyses tied to an `open_id`, creating privacy and authorization risks if access controls are weak elsewhere.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This file exposes generic CRUD wrappers and arbitrary HTTP client methods that are not constrained to the skill’s declared purpose of livestock behavior detection. Because callers can supply arbitrary URLs and request parameters, the skill can be repurposed as a general network-capable proxy, expanding its capabilities beyond the manifest and increasing the risk of unintended data access or exfiltration.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The http_post/http_put/http_get/http_delete methods accept caller-controlled URLs and directly forward requests, creating arbitrary outbound network access. In the context of a narrowly scoped barn-video disease-detection skill, this is especially dangerous because it enables the skill to contact unrelated systems, potentially supporting SSRF-style access, unauthorized data transfer, or use as a generic exfiltration channel.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This file contains generic user/account persistence logic that does not align with the stated purpose of livestock behavior detection from barn video. Capability drift is security-relevant because it expands the skill's data-handling surface to identity records and account workflows that are unnecessary for the declared function, increasing the chance of misuse, overcollection, or hidden integration behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The User model stores identity and authentication-related fields including username, realname, email, token, and open_token, which are not justified by an animal behavior detection skill. In this context, collecting and persisting credential-like material is especially concerning because it creates a sensitive-data store unrelated to the advertised functionality and could expose users if the local database is accessed or reused by other components.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility module for an animal behavior-detection skill performs unrelated identity resolution, login, token retrieval, persistence, and retry logic against external backend services. That creates hidden security-sensitive side effects and expands the attack surface far beyond the manifest’s stated purpose, including undisclosed account use and credential handling.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code automatically posts registration/login data to /sys/phoneLogin with silent=1 and register=1, using derived identifiers as both openId and mobile. This can create or access backend accounts without informed user action, enabling unauthorized account provisioning, identity misuse, and hidden linkage between local workspace identity and remote services.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill derives persistent open-id credentials by reading a workspace file and local database records, then reuses or creates a default identity. This silent identity selection increases the risk of credential misuse, cross-session tracking, and unintended impersonation, especially because the skill’s stated purpose does not require persistent backend identity management.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The history-report trigger phrases are broad enough that ordinary discussion about reports could automatically invoke cloud history queries. That can cause unintended access to account-linked historical records and unexpected data disclosure in contexts where the user did not clearly request retrieval.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that uploaded attachments are automatically saved as local files without a clear user-facing disclosure, retention policy, or handling restrictions. Silent local persistence increases the risk of unintended storage of sensitive media and broadens the attack surface for data leakage or unsafe downstream processing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code resolves an internal user identity through OpenIdUtil.resolve_current_open_id using a hidden --open-id parameter and no clear user-facing disclosure. This creates a privacy and authorization risk because analysis history retrieval and related backend operations may be bound to an identity the user did not knowingly provide or consent to, enabling unintended account association or access to another user's records if identity resolution is weak or ambient.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill reads the entire local file into memory and transmits it to an analysis service without any user-facing disclosure, consent check, or visible indication in this code path. That creates a privacy and data-handling risk because operators may provide sensitive barn video footage without understanding it is being uploaded to an external service.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The tool sends a local file path or remote URL to backend analysis through `analyze_video()`/`skill.get_output_analysis(...)` without any explicit notice that data may leave the local environment. For a barn-video monitoring skill, footage may contain sensitive operational or proprietary information, so silent transmission creates a meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Reading data/smyx-api-key.txt to obtain an internal identity value without notice or consent is a covert use of workspace-resident sensitive data. In a behavior-analysis skill, this is especially concerning because it repurposes local identity material for backend access in a way users would not reasonably expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code automatically transmits identity-related fields such as openId, mobile, and source to a remote endpoint without clear user disclosure. Even if intended for convenience, this is a privacy and security issue because a livestock video-analysis skill does not obviously require sending persistent identity metadata to an external service.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
90% confidence
Finding
requests.post(_url, json=

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2