Student Classroom Engagement Analysis | 学生课堂情绪参与度分析

Security checks across malware telemetry and agentic risk

Overview

This skill is presented as anonymous classroom engagement analysis, but its artifacts handle identifiable users, stored tokens, history reports, and a mismatched health-analysis API surface.

Review this before installing. VirusTotal telemetry is clean, but the artifacts themselves show sensitive classroom video processing tied to identifiers, cloud history reports, local token storage, and a health-analysis API mismatch. Do not use it with students or minors unless the publisher explains the identity handling, account creation, retention, deletion, report access controls, and legal consent process in detail.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (25)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script exposes a history-listing function keyed by an `open_id`, even though the skill description emphasizes real-time, non-identity-stored classroom engagement analysis. This creates an unnecessary capability to retrieve user-scoped analysis records, which expands data exposure risk and could allow unauthorized access to historical classroom data if identifiers are guessed or reused.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The CLI explicitly accepts direct identifiers such as OpenID, username, or phone number, which conflicts with the stated claim that no identity is stored. In a classroom analytics context involving minors, collecting strong identifiers materially increases privacy risk, enables linkage of emotion/engagement data to individuals, and broadens the consequences of misuse or breach.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documented API endpoint and response schema are fundamentally inconsistent with the declared classroom engagement purpose: instead of engagement metrics, it returns TCM-style health/physiognomy outputs derived from face video. This kind of capability mismatch is a strong indicator of deceptive or repurposed functionality and could enable covert collection or inference of sensitive health-related attributes from students, which is especially dangerous in educational settings involving minors.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The response fields explicitly describe personal diagnosis-like analysis from facial video, including constitution, organ condition, complexion, warnings, and suggestions. In the context of a classroom engagement tool, this is an undisclosed secondary use of student video for sensitive personal inference, creating serious privacy, compliance, and misuse risks, particularly for children and other vulnerable subjects.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill accepts arbitrary http/https URLs and forwards them to the backend as videoUrl, which expands the data source beyond the manifest's described fixed classroom camera workflow. This can enable misuse such as analyzing third-party hosted videos, policy bypass, or server-side fetching of untrusted URLs if the downstream service retrieves the content.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The code exposes report-listing functionality and constructs export links for analysis results, which goes beyond the manifest's real-time engagement-analysis description. In a classroom setting, this increases the risk of retaining, enumerating, or redistributing sensitive student-analysis outputs that may contain behavioral or biometric inferences.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The CLI requires an --open-id and explicitly supports using OpenID, user ID, username, or phone number, which contradicts the skill description's claim that no identity is stored. In a classroom analytics context involving minors and facial-expression analysis, tying analysis or history access to persistent user identifiers increases privacy risk and suggests retention or linkage of student-related data beyond transient real-time use.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The show_analyze_list function exposes a user-scoped history listing capability that is not justified by the stated purpose of real-time classroom engagement reminders. For surveillance-style classroom analytics, retaining and retrieving historical analysis expands the data-processing scope and creates additional privacy and misuse risks, especially if used to review student engagement patterns over time.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: This file exposes generic CRUD and raw HTTP wrapper methods that accept arbitrary URLs, which is broader than the declared classroom-engagement analytics purpose. In an agent/skill context, this creates an unnecessary capability surface that could be repurposed to access or modify unrelated remote systems if other components pass attacker-controlled endpoints or sensitive payloads.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The add, edit, delete, and generic POST methods permit remote resource modification through caller-supplied URLs without visible scope restrictions. Even if intended as shared utility code, this enables actions unrelated to student-engagement analysis and could be abused for unauthorized state changes against arbitrary backend services reachable by the skill.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file defines persistent user-account storage, including usernames and authentication-related fields, even though the skill description claims classroom engagement analysis with no identity storage. In a classroom context involving minors, retaining user/account data beyond the stated purpose materially increases privacy and compliance risk and expands the blast radius if the local database is accessed.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The User model stores token, open_token, email, birthday, age, and sex, which are sensitive or authentication-related data unrelated to the manifest's stated real-time engagement analysis purpose. Collecting and persisting these fields creates unnecessary surveillance and account compromise risk, especially in education settings where student privacy expectations are high.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The DAO automatically performs a schema migration that adds a source_id column to a persistent local user table. This conflicts with the skill's framing as real-time analysis without identity storage and quietly expands persistent state, making undisclosed collection or linkage of user records more plausible.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The HTTP helper does more than transport requests: it silently provisions or logs in a user via /sys/phoneLogin, retrieves token material, and persists those credentials locally through the DAO layer. That capability is unrelated to classroom engagement analysis and creates a hidden account-creation and credential-handling path that could transmit identifiers and establish backend access without informed consent.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: This code loads existing tokens from storage, falls back to auto-creating an account, then saves token-bearing user records back to persistent storage. For a classroom engagement skill, embedding credential provisioning and persistence in shared utility code is excessive privilege and broadens the blast radius if the module is reused or compromised.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: Although the code comments claim headers are suppressed to avoid token leakage, the exception-path debug print still includes a 'headers' label and emits detailed request context, while global HTTPConnection/urllib3 debug logging is enabled in debug mode. In practice, this can expose Authorization, X-Access-Token, API keys, request bodies, and user identifiers into logs, which are commonly accessible beyond the original caller.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: A default trigger that activates on essentially any classroom video analysis request is overly broad and can cause the skill to process videos or invoke external APIs without sufficiently specific user intent. In a surveillance-like classroom setting, accidental activation increases the chance of unintended collection, upload, or retention of student video and related metadata.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The historical-report lookup is auto-triggered by a broad keyword list, which can cause retrieval of cloud-stored reports without strong confirmation of user intent or authorization context. Because these reports concern minors and classroom behavioral analytics, inadvertent disclosure or overbroad access is particularly sensitive.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code collects sensitive user identifiers through `--open-id` without any in-tool privacy notice, purpose limitation, or disclosure, despite the manifest suggesting anonymous/non-identity storage. In a classroom setting, especially one that may involve children, silent collection of identifiers alongside behavioral analytics increases privacy and compliance risk and can mislead operators about what data is being processed.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The API accepts direct video uploads or publicly accessible video URLs but provides no warning about privacy, consent, retention, or exposure of sensitive student imagery. In a classroom context, this omission is material because the system processes facial video of potentially identifiable minors, and public URL submission can further expand unintended access or leakage risk.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: Requiring an API key without documenting secure storage, rotation, scoping, or transmission handling increases the likelihood of accidental credential exposure in code samples, logs, or client-side integrations. While common in API docs, this is still a real security weakness because compromised keys could grant unauthorized access to sensitive classroom video analysis services.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill reads the entire local file and submits its contents for analysis without any disclosure or consent handling in this code path. Because the context involves classroom videos of students, this can result in silent transmission of sensitive footage and inferred emotional/engagement data to an external service.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: Remote URLs are passed to the analysis service without any notice to the user that external content references will be submitted or fetched. While less direct than uploading a local file, it still creates privacy and trust risks and may trigger unexpected retrieval of sensitive or unapproved content by the backend.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The CLI collects sensitive identifiers including OpenID, username, and phone number and uses them for analysis/list operations without any user-facing warning, minimization, or privacy guidance. In the context of classroom facial-expression analysis, this raises the risk of linking behavioral or inferred emotional data to identifiable individuals, which is especially sensitive when students may be minors.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The request utility automatically attaches user identifiers such as pnaUserName and multiple authentication tokens to outbound requests, with no evidence of user-facing disclosure or consent at this layer. In a classroom setting, hidden transmission of identifiers and credentials is especially sensitive because the skill is expected to analyze engagement, not manage backend identities.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal