Security audit

TCM Constitution Identification & Analysis Tool | 中医体质识别分析工具

Security checks across malware telemetry and agentic risk

Overview

The skill largely performs the advertised TCM face/video analysis, but it also uses cloud APIs, silently manages persistent identities, and stores authentication tokens in ways users should review carefully.

Install only if you are comfortable sending face photos/videos and health-adjacent analysis data to the Life Emergence cloud service, allowing the skill to create or reuse a persistent identity, and storing account tokens locally. Before use, review the configured endpoints, avoid uploading sensitive media unless necessary, and treat history-report lookup as access to private health-related records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (29)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 71% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 68% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill instructs the agent to execute local scripts, read/write files, use environment/configuration, access the network, and invoke the shell, yet the manifest does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or reviewer may underestimate the skill's ability to exfiltrate face images, health data, tokens, or local files via backend/API calls.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented purpose presents a TCM face-analysis tool, but the behavior expands into user history retrieval, local identity generation/reuse, SQLite token/user storage, backend account provisioning, and report-link export. This mismatch is dangerous because users and orchestrators may consent to image analysis without realizing the skill can create persistent identities, associate historical reports, and access additional personal/medical data.

Description-Behavior Mismatch

High

Confidence: 89% confidence
Finding: The implementation accepts local files or remote video URLs and explicitly treats the input as video content, which materially exceeds and conflicts with the manifest description of facial-feature and physical-sign based constitution analysis. Capability mismatch is dangerous because it can cause users or calling systems to grant broader access than intended, enabling collection and transmission of arbitrary media or remote resources to a backend under a misleading skill identity.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill exposes report-listing and report-export link generation functions that go beyond the stated purpose of analyzing a user's constitution and returning health suggestions. This broadens the data surface to historical records and derived report artifacts, which can leak prior analyses or enable unintended access patterns if callers were only expecting one-shot analysis.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: Historical report enumeration is not clearly necessary for the advertised constitution-recognition task, yet the code returns a report list and augments each item with export URLs. Enumeration features increase privacy risk by exposing metadata and potentially past health-analysis results, especially if upstream authorization is weak or callers do not expect multi-record access.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The implementation materially diverges from the declared skill purpose: instead of narrowly performing TCM constitution recognition, it exposes a generic video-analysis entry point. This kind of scope mismatch is dangerous because users and platform reviewers may grant trust, permissions, or sensitive inputs based on the manifest, while the code can process broader content than advertised.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: Accepting arbitrary remote video URLs broadens the skill beyond its stated facial/physical-sign constitution assessment purpose and can cause unreviewed external content to be fetched or analyzed by backend services. In the context of a health-oriented skill, this hidden expansion of capability increases privacy, compliance, and misuse risk because users may not expect general-purpose remote video processing.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The history-listing function exposes an additional data-access capability not justified by the manifest. Even if intended for convenience, undeclared access to prior analysis records can reveal sensitive user activity or media metadata and violates the principle of least privilege.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: User-facing help text and function descriptions present the tool as generic video analysis rather than TCM constitution recognition, reinforcing that the actual behavior does not match the declared intent. This is dangerous because it undermines informed consent and can mislead both users and security reviewers about what data is being processed and why.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This file exposes generic CRUD and arbitrary HTTP wrapper methods (`add`, `edit`, `delete`, `http_post`, `http_put`, `http_get`, `http_delete`) that can interact with caller-supplied URLs, which is far broader than the declared TCM constitution analysis purpose. In a skill context, such overbroad network capabilities increase the attack surface and can be repurposed for unauthorized data access or external service interaction unrelated to the advertised function.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code provides remote resource modification primitives via POST/PUT/DELETE wrappers and generic `add`, `edit`, and `delete` methods without any visible limitation tying them to safe, expected health-analysis operations. Because the skill’s stated purpose is diagnostic/analysis-oriented rather than administrative, these mutation capabilities are unjustified and could be abused to alter remote data or trigger side effects on arbitrary backend services.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The skill is described as TCM constitution analysis, but this file initializes a persistent local SQLite database and generic CRUD infrastructure. That broader data-retention capability increases privacy and misuse risk because it enables collection and long-term storage of user information outside the stated analysis purpose.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This code defines a full user profile store with usernames, real names, email, birthday, age, sex, and token fields, which is materially broader than a facial-feature/constitution analysis skill description. The mismatch is dangerous because it enables unnecessary collection and persistence of personally identifiable and authentication-related data without clear justification.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Storing token and open_token values in a local SQLite user table is unjustified by the skill's stated TCM analysis purpose and creates credential exposure risk. If the local database is accessed, copied, or logged, these authentication-like secrets could be reused to impersonate users or access connected services.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This utility file implements broad authenticated API request handling, token management, automatic identity resolution, and backend interaction that are unrelated to the declared TCM constitution-analysis purpose. In this skill context, the mismatch is dangerous because it expands the skill from local analysis into a general networked account-bearing client, increasing the chance of undisclosed data transmission, account abuse, and hidden backend operations.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code automatically creates or logs in backend users through /sys/phoneLogin using generated or recovered identifiers, without any user-facing disclosure or clear functional need for constitution analysis. That behavior can silently register identities, associate activity with persistent accounts, and transmit identifiers to a remote service, which is especially concerning given the health-related skill context.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill resolves identity by reading OPENCLAW_WORKSPACE, a workspace file (data/smyx-api-key.txt), and a local database, then persists and reuses that identity as the current open-id. For a TCM analysis skill, this hidden identity harvesting and persistence is unrelated and risky because it can cause cross-session tracking, unintended account linkage, and use of local secrets the user did not intend to share.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The automatic trigger phrases for history-report access are broad and likely to match ordinary conversation about reports. In this skill context, that can silently invoke cloud queries for sensitive health-history data without a clear, specific user request, increasing the risk of privacy leakage and unintended disclosure.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill processes highly sensitive biometric and health-related data—face photos/videos, inferred constitution/health traits, and historical reports—but does not clearly warn users that this data is transmitted to a cloud/API service. Without explicit disclosure, users cannot make informed consent decisions, and the agent may send especially sensitive data off-device unexpectedly.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The code reads the entire local file into memory and sends it for analysis without any visible disclosure, consent prompt, or data-minimization step in this component. For a health-related skill processing potentially sensitive facial/body media, silent transmission creates privacy and compliance risk because users may not understand that raw media is being uploaded to an external analysis service.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script sends local file paths or remote URLs to backend analysis functionality without clearly warning the user that media may be transmitted or processed off-device. In a health-analysis context, videos may contain biometric or medical-adjacent personal data, so lack of explicit disclosure increases privacy and regulatory risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Reading an identity value from data/smyx-api-key.txt without clear disclosure means the skill may silently consume sensitive workspace material and use it as an account identifier. In this context, the danger is not just secret access but covert identity selection that can tie the user to remote actions without informed consent.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This code sends tokens, API keys, authorization headers, and user identifiers in outbound HTTP requests while also auto-populating fields like pnaUserName and tenant/skill metadata. In a health-analysis skill, undisclosed authenticated transmission materially increases privacy and account risk because user identity and potentially health-related interactions can be linked and sent to external services without transparent notice.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal