Cat Face Recognition Skill | 猫脸识别技能

Security checks across malware telemetry and agentic risk

Overview

This cat-recognition skill sends media and user identifiers to a cloud service and also performs under-disclosed account/token handling that users should review before installing.

Install only if you are comfortable sending cat photos/videos, public media URLs, and a username/phone/open-id to LifeEmergence cloud services. Treat the open-id as account-identifying data, review the local token database risk, and avoid using third-party or private/internal URLs unless you have consent and understand how the backend handles retention and access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (26)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 86% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 85% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill exposes broad CRUD-style operations (`page`, `list`, `add`, `edit`, `delete`) that go beyond the stated purpose of cat-face recognition analysis. In an agent skill context, unnecessary record-management capabilities increase attack surface and may allow unauthorized enumeration, modification, or deletion of backend data if the skill is invoked in ways the user did not intend.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The `delete` method allows deletion of camera-associated records by `cameraSn`, which is not justified by a recognition-only skill description. In this context, destructive operations are particularly risky because an agent or caller could remove records or integrations tied to camera devices, causing data loss or service disruption beyond simple analysis.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The documented API behavior materially conflicts with the skill’s stated purpose: instead of identifying individual cats, it accepts face/video inputs and returns human-oriented diagnosis and health-related inferences. This mismatch is dangerous because it can mislead integrators and users into sending sensitive biometric data to an unrelated analysis service, creating undisclosed surveillance, privacy, and deceptive-functionality risk.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The response schema documents human health and constitution analysis fields such as organ condition, complexion, and health warnings, which are unrelated to cat identification. In the context of a cat-face-recognition skill, this strongly suggests hidden or misrepresented biometric profiling of humans, increasing the risk of unauthorized sensitive-inference processing and user deception.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The service exposes generic CRUD-style management methods (`page`, `list`, `add`, `edit`, `delete`) that go beyond the stated cat-face recognition analysis purpose and indicate the skill can manipulate backend records, including camera-related objects. In an agent skill context, unnecessary management capabilities expand the attack surface and can be abused for unauthorized enumeration or modification if the skill is invoked with broader privileges than users expect.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The `delete` method allows deletion of camera/device records via `cameraSn`, which is unrelated to the declared purpose of recognizing cats from images or videos. In this context, destructive device-management functionality is especially dangerous because an analysis skill could be used to disrupt monitoring infrastructure, remove enrolled devices, or tamper with operational records if exposed through the agent or backend API.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The implementation accepts arbitrary local files and arbitrary HTTP(S) URLs, then submits them to a generic analysis backend and formats a generic analysis report. That behavior is materially broader than the declared cat-face-recognition purpose, creating a capability mismatch that can lead to unauthorized analysis of unrelated content and accidental data exfiltration to the backend service.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill allows user-supplied remote URLs to be passed through for analysis without any allowlist or scope restriction. This expands the skill beyond local cat media handling and can be abused to make the backend fetch arbitrary remote content, potentially exposing internal services, sensitive URLs, or causing unintended processing of third-party data.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The implementation exposes a generic video-analysis and history workflow that does not match the declared cat-face-recognition purpose. This kind of skill/manifest mismatch is dangerous because users and platform reviewers may grant permissions or provide data under false expectations, while the code can process arbitrary videos and retrieve prior analysis history tied to a user identifier.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The inline help text and function documentation repeatedly describe a generic video analysis tool, contradicting the manifest’s cat-face-recognition description. This inconsistency increases the risk of deceptive behavior, operator error, and unsafe approval because reviewers and users cannot reliably tell what data is actually being processed.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: This file exposes generic CRUD and raw HTTP helper methods that can send requests to arbitrary URLs, which materially exceeds the stated cat-face-recognition purpose. In a skill context, this creates a broad exfiltration and misuse surface because any higher-level code can repurpose the module as a general network client rather than a narrowly scoped recognition helper.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The arbitrary network wrappers expose GET, POST, PUT, and DELETE capabilities without visible restriction on destination, operation type, or business purpose. For a skill that should identify cats from images or video, these methods are unnecessarily powerful and could be abused to contact unrelated services, mutate remote state, or transmit sensitive data.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This file defines a generic user/account persistence layer inside a skill described as cat-face recognition. The mismatch in scope is security-relevant because it introduces identity and account-management functionality not necessary for the stated purpose, increasing the chance of hidden data collection, privilege misuse, or token handling beyond user expectations.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The User model stores identity attributes and especially token/open_token values, which are unrelated to cat-face recognition. Persisting authentication material in a local SQLite database broadens exposure if the file is read, copied, or abused by other local components, and the skill context makes this more suspicious because the capability is outside the declared function.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This utility implements broad authenticated HTTP access, token handling, retry logic, and account-related behavior that materially exceeds a cat-face recognition skill's stated purpose. Such overbroad capability increases the attack surface and enables unrelated data access or backend actions if reused by the skill or a compromised component.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The code persists user records and tokens locally even though the skill description only mentions image/video recognition. Storing account data outside the declared function creates unnecessary collection and retention of sensitive identity and authentication material.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The helper automatically performs phone-login and user creation using a username/mobile/openId without any demonstrated user initiation or consent. In the context of a cat-face recognition skill, silent account provisioning is unrelated and could create unauthorized accounts, leak identifiers, or bind users to external services unexpectedly.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The history-report trigger phrases are broad enough that common user requests could automatically invoke backend history retrieval. In this skill context, that may expose prior report metadata or links tied to an open-id without sufficiently clear user intent, especially because the skill is designed to fetch cloud-stored records.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The default activation criteria are broad and can cause the skill to run automatically whenever a user shares cat media and asks general identification questions. Because execution includes local file saving and remote API use, ambiguous auto-invocation increases the risk of unintentional data transmission and processing beyond what the user expected.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill omits a clear privacy warning even though the workflow sends user-provided images/videos and an open-id to a cloud API and may retrieve historical records. In a media-analysis skill, undisclosed transfer of potentially sensitive household surveillance footage and user identifiers materially increases privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The API documentation instructs clients to upload video files or provide public video URLs but does not disclose retention, sharing, storage, consent, or handling requirements for that potentially sensitive media. Because face/video data may contain humans, pets, homes, and other private context, the lack of privacy guidance increases the risk of inadvertent over-collection and unsafe transfer of personal data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script requires an open_id that may be a user ID, username, or phone number and forwards it into backend analysis/history functions without any privacy notice, minimization, or masking. In the context of a mismatched skill that already obscures its true function, collecting direct identifiers raises the risk of unnecessary tracking, user correlation, and privacy violations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The request path injects usernames, tenant identifiers, skill metadata, and authentication tokens into outbound requests, but this file shows no user-facing notice, consent, or minimization controls. That creates a privacy and transparency risk, especially because the behavior goes beyond straightforward local cat-face matching.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal