烟火检测技能

Security checks across malware telemetry and agentic risk

Overview

This skill appears to offer fire and smoke analysis, but its artifacts also include mismatched health/face-analysis behavior, broad identity handling, and local token persistence that users should review before installing.

Review before installing. Treat uploaded videos/images, media URLs, report links, usernames, phone numbers, API keys, and generated tokens as sensitive. Ask the publisher to clarify the actual backend and remove or document the health/face-analysis remnants, silent account creation, local token storage, and report-history behavior before using it in safety or surveillance workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (25)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 82% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 82% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to obtain an open-id from local configuration files or directly from the user, effectively handling identity or credential-like data unrelated to core media inference. Reading local config for api-key/open-id expands data access scope and risks accidental disclosure, misuse, or cross-user confusion if identifiers are reused.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill includes cloud history-report listing and retrieval behavior in addition to fire/smoke detection, which broadens its function into remote data access and report enumeration. That increases privacy and data exposure risk because users may invoke historical record access without understanding they are requesting remotely stored prior analyses and report links.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The documented API endpoints and scenario code clearly describe pet health analysis rather than fire/smoke detection, which is a material capability mismatch for this skill. In a security-sensitive or safety-critical deployment, this can misroute data, cause operators to invoke the wrong backend, and create unauthorized data exposure or unsafe operational assumptions about what the skill actually does.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documented endpoint behavior is materially inconsistent with the skill's declared fire/smoke detection purpose: it returns face detection and health/constitution diagnosis data instead of fire-related outputs. This kind of scope mismatch is dangerous because it can conceal undeclared surveillance or sensitive inference capabilities behind a benign safety-oriented description, defeating user consent and platform review expectations.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The response schema documents capabilities unrelated to fire early warning, including face detection and health diagnosis. Undeclared secondary processing of biometric and inferred health attributes creates a serious transparency and data-minimization issue, and could enable sensitive profiling under the guise of a harmless monitoring skill.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The documentation describes physiognomy/health-diagnosis style outputs that are unjustified for a fire detection use case and may constitute highly sensitive inferred personal data. In the context of uploaded videos, this raises the risk of covert health profiling and misuse of visual data beyond the user's reasonable expectations.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill is described as performing fire/smoke detection analysis, but this API wrapper also exposes record-management methods such as add, edit, and delete. Expanding the capability surface beyond analysis increases the chance that an agent or downstream caller can modify or remove records unrelated to the stated purpose, enabling unauthorized state-changing actions if access controls are weak or misused.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Administrative create/update/delete capabilities are not justified by the declared detection-only function of the skill. In an agent setting, unnecessary write operations are risky because they can be invoked accidentally or by prompt manipulation to alter monitored records, delete camera-related data, or tamper with operational state.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The skill manifest claims fire/smoke detection, but this code normalizes and emits fields such as commonAiResponse and healthAiResponse, indicating the implementation is wired to a different analysis domain. This kind of capability mismatch is dangerous because downstream users or agents may trust the skill for safety-critical fire detection while receiving unrelated or malformed results, causing missed alerts or incorrect operational decisions.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The historical report listing extracts healthAssessment and faceAnalysisResponse fields instead of fire/smoke detection data, which strongly suggests report history is being interpreted from the wrong product domain. In a fire-warning context, presenting unrelated health labels as detection outcomes can mislead users, obscure actual incident history, and undermine trust in safety monitoring.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The file implements a generic user-account data model and DAO inside a skill whose stated purpose is fire/smoke detection. This scope mismatch increases concern because it introduces unnecessary identity/account persistence capabilities that are unrelated to the advertised function, expanding attack surface and enabling data collection beyond user expectations.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The model stores token and open_token values even though authentication-token storage is unrelated to fire/smoke analysis. If these secrets are written in plaintext to a local SQLite database, compromise of the workspace or local files could expose reusable credentials or API access tokens, causing account or service takeover.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: This utility for a fire/smoke detection skill performs unrelated identity/account behavior: it auto-creates or logs in users via /sys/phoneLogin, persists tokens, and injects pnaUserName, tenantCode, skillHubName, X-Access-Token, X-Api-Key, and Authorization into outbound requests. That creates hidden identity coupling and unauthorized data handling far beyond the expected scope of image/video analysis, increasing risk of account abuse, privacy violations, and confused-deputy behavior if the skill is run in environments where users did not explicitly consent to account provisioning.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The code handles account-balance failure by returning recharge/install instructions for a payment skill, which is unrelated to fire/smoke detection. Embedding monetization and payment workflow logic in a detection utility expands the trust boundary and can steer users into account/payment actions they did not expect from an analysis skill.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The default trigger language is broad enough that ordinary mentions of uploaded images or videos for fire-related analysis could automatically activate the skill without a clear confirmation boundary. In a skill that can save files locally and call remote services, unintended invocation can lead to unexpected data handling and API usage.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The automatic history-query trigger relies on broad natural-language keywords like 'history report' or 'show all reports,' which can cause unintended remote retrieval of historical analysis data. Because those results include report metadata and links, accidental activation can expose sensitive operational records or URLs.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill states that uploaded attachments or video/image files are automatically saved as local files, but this persistence behavior is not surfaced as a prominent user warning. Silent local storage increases privacy and retention risk, particularly for surveillance footage or sensitive incident imagery.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill asks the user for a username or phone number to use as open-id, but does not present a prominent privacy notice explaining collection, transmission, storage, and linkage of that identifier to cloud reports. Usernames and phone numbers are personal data, so collecting them without clear notice and minimization creates privacy and compliance risk.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill describes cloud history queries and displaying reportImageUrl links without clearly warning users that remote data retrieval will occur and that clickable report URLs may expose access patterns or sensitive report locations. While lower severity than direct credential handling, it still creates avoidable privacy and disclosure risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The API accepts uploaded videos and public video URLs but provides no warning about privacy handling, retention, or the possibility of biometric/sensitive inference from the media. Because the same documentation also indicates face and health-related analysis, the lack of notice materially increases the risk of non-consensual collection and processing of sensitive personal data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code reads the entire local file and uploads it to the analysis service without any user-facing notice or consent handling in this path. For surveillance or industrial footage, that can expose sensitive visual data, location details, or personal information to a remote service in ways the user may not expect.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill forwards user-supplied remote video URLs to the backend analysis service without making that transfer behavior visible in this code path. While common in media-processing skills, undisclosed sharing of URLs can leak internal, signed, or otherwise sensitive resource locations to external services.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code silently sends network requests with credential-bearing headers including X-Access-Token, X-Api-Key, and Authorization, while also attaching contextual identity metadata to request bodies. In a skill advertised for fire/smoke analysis, undisclosed external transmission of credentials and user-linked metadata is dangerous because users and integrators may not realize that invoking detection functionality also authenticates to remote services and exposes operational identity information.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal