��ʶ�𹤾�

Security checks across malware telemetry and agentic risk

Overview

This bird-recognition skill needs Review because it includes under-disclosed account login, token storage, and cloud media handling that do not cleanly fit its stated purpose.

Review carefully before installing. Only use media and identifiers you are comfortable sending to the LifeEmergence cloud service, do not store real API keys where the skill may reuse them as open-id values, and treat the local account/token database plus automatic phone-login behavior as sensitive until the publisher documents consent, retention, deletion, and credential handling controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (26)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 85% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 84% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill instructs the agent to read a local configuration file and use an `api-key` value as a user's `open-id`. This is a credential-misuse pattern that can expose secrets from the local environment and also confuse service authentication material with user identity, enabling unauthorized API access or cross-user data retrieval.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The analysis request injects a `petType` parameter from a default constant despite the skill being described as bird recognition. This mismatch strongly suggests code reuse from a different domain, which can misroute requests, trigger unintended backend behavior, or cause data to be processed under the wrong model or tenant context if the server interprets `petType` as a control parameter.

Intent-Code Divergence

High

Confidence: 90% confidence
Finding: The inline comment explicitly states that a pet-type parameter is being added, which conflicts with the advertised bird-recognition purpose. This is dangerous because it corroborates that the behavior is intentional in code, increasing the likelihood of cross-domain request confusion, incorrect model selection, or hidden functionality inconsistent with the skill's declared scope.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documented response payload describes face detection, constitution/organ diagnosis, and health warnings instead of bird-species recognition. This is dangerous because the skill is presented as a bird-recognition tool, but the reference API appears to process human biometric/health-like data, creating a strong risk of deceptive functionality, privacy violations, and use of an unrelated backend.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The API behavior documented here is for uploading videos or video URLs to a service that returns face detection and health-diagnosis results, not bird recognition. In the context of a bird-recognition skill, this mismatch makes the skill materially more dangerous because users may unknowingly send human video data to a biometric/health-analysis service under false pretenses.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The implementation materially conflicts with the declared bird-recognition purpose: it processes generic/common/health AI responses, exports analysis reports, and includes health-oriented fields and report handling. This kind of skill/manifest mismatch is dangerous because users may provide wildlife imagery or other local files under false assumptions while the skill actually sends data to a different backend/use case, creating a deceptive data-flow and trust-boundary violation.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The input path handling supports generic file upload or remote video URL submission into a broad analysis workflow rather than a constrained bird-recognition pipeline. This is risky because it expands what data can be transmitted and analyzed beyond the documented function, increasing the chance of undisclosed collection, misuse, or accidental processing of unrelated sensitive content.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The comments/docstrings describe generic report-list behavior rather than bird-species recognition, reinforcing that the implementation does not match the advertised purpose. Misleading internal documentation increases maintenance risk and can conceal unauthorized capability drift, making review and user trust materially weaker.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The implementation performs generic video analysis and history listing, which does not match the declared bird-recognition purpose of the skill. This mismatch is dangerous because users may provide wildlife footage and identifiers under the assumption of a constrained bird-species workflow, while the backend can process broader video content and expose unrelated analysis or historical data.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The CLI help states that an API key is required, but the code neither requires nor validates it before invoking analysis. This can lead to unauthenticated or implicitly authenticated backend access, creating confusion about security boundaries and increasing the risk of unauthorized use if the backend trusts ambient credentials or weak defaults.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This file defines a generic local user/account DAO with fields like username, email, token, and open_token, which is not necessary for a bird-recognition skill. Unrelated identity and token persistence expands the attack surface and may enable covert credential collection or retention beyond user expectations.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The code derives a workspace path from the environment and creates a local SQLite database under a data directory. For a skill advertised as image/video bird species recognition, this undocumented persistence capability is broader than necessary and could be used to store user data, tokens, or tracking artifacts on disk.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill includes a generic AI chat/agent invocation path that is unrelated to the stated bird-recognition purpose, which expands the skill's capabilities beyond its declared scope. Even though the subprocess invocation is currently commented out/broken, the presence of this latent agent interface creates unnecessary attack surface and could later be re-enabled to send arbitrary prompts or data to an external agent.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The HTTP helper contains unrelated identity/login behavior: it can auto-register or log in a user via /sys/phoneLogin using a username/mobile, then persist returned token and openToken locally through the DAO. In a bird-recognition skill, this hidden account creation and credential persistence is unnecessary and expands the blast radius to unauthorized account provisioning, token harvesting, and covert backend access.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The API handler injects unrelated payment-skill installation and recharge instructions when it receives status 402, steering the user toward installing another skill not required for bird recognition. This creates a covert cross-skill upsell/dependency path and can be abused for social engineering or unauthorized monetization.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs automatic local saving of uploaded files without warning the user about local storage or retention. Because the skill handles user-supplied images and videos, silent persistence increases privacy risk, creates residual sensitive data on disk, and may expose media to other local processes or later unauthorized access.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill mandates retrieving historical reports from a remote cloud API using `open-id`, but it does not provide an explicit privacy warning that identifiers and report-related metadata will be transmitted off-device. This is dangerous because users may unknowingly expose account-linked activity history and media-derived reporting data to a third-party service.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document instructs users to upload video files or submit public video URLs but provides no privacy notice, retention policy, consent guidance, or warning about transmitting potentially sensitive visual data to a remote server. Because the same document also suggests face-related analysis, the absence of privacy/security disclosures is more serious than a generic omission and could lead to unauthorized processing of personal data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code reads the entire local file and prepares it for upload to an external analysis service without any visible consent, warning, or minimization step in this path. This is dangerous because users may unintentionally transmit sensitive local media or metadata off-device, especially given the skill's misleading bird-recognition branding.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The skill accepts remote video URLs and forwards them for analysis without explicitly informing the user that network resources will be submitted to a backend service. While less severe than local-file upload, it still creates an undisclosed transmission path and can surprise users about how external content is fetched or processed.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The tool requires an open-id that may be a user ID, username, or phone number, but provides no privacy notice, minimization, or disclosure about how this identifier is stored or transmitted. In a media-analysis workflow, collecting direct identifiers alongside submitted videos increases privacy risk and can enable unnecessary user tracking or correlation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The analysis function accepts local files or URLs and passes them to a skill backend without any explicit warning that video data may leave the local environment. This is particularly risky because users may submit sensitive ecological footage, private property imagery, or embedded metadata while believing the tool is a local bird-recognition utility.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The request path automatically attaches user identifiers such as pnaUserName and sends multiple auth headers including X-Access-Token, X-Api-Key, and Authorization to remote services, without any user-facing notice outside debug logging. Because this is a bird-recognition skill, silent transmission of identity and credentials is not obviously necessary and increases privacy and credential-exposure risk, especially if endpoints or logs are misconfigured.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal