Fish Surface Symptom (White-spot / Hyperemia / Fin-rot) Detection | 鱼类体表白点/充血/烂尾识别

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud fish-image analysis tool, but it also bundles under-disclosed account login, token storage, broad backend helpers, and mismatched generic health-analysis documentation.

Review this skill carefully before installing. Use it only if you are comfortable sending fish camera images or video URLs, open-id or username/phone-style identifiers, and account-linked tokens to the configured LifeEmergence services. Avoid using a real phone number as the open-id unless required, and treat the local workspace database as sensitive because it may contain tokens.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 87% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 85% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The script exposes a history retrieval function via --list and show_analyze_list(open_id) even though the manifest describes only symptom detection/reporting. Undocumented data-access functionality increases the attack surface and may allow enumeration or retrieval of prior analysis records for arbitrary user-supplied open_id values if downstream access control is weak or absent.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documented API endpoint and response schema describe human face detection and constitution/organ analysis rather than fish surface disease detection. This mismatch is dangerous because any agent or integrator relying on the reference may send aquarium imagery to an unrelated human-analysis service, causing incorrect operation, privacy/compliance issues if people appear in frames, and complete failure of the advertised medical-monitoring function.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The behavior documented in the response body is fundamentally inconsistent with the skill’s stated purpose: it returns face counts, complexion, organ-condition, and lifestyle suggestions instead of white-spot, hyperemia, or fin-rot detection. In context, this makes the skill especially unsafe because users may trust it for fish health decisions while the backend appears to analyze a different domain entirely, leading to missed disease detection and harmful husbandry actions based on invalid outputs.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file implements a generic network API wrapper with broad CRUD and arbitrary HTTP capabilities that are not justified by the declared fish-symptom detection purpose. In a narrowly scoped diagnostic skill, such reusable remote access primitives expand the attack surface, enable hidden secondary behaviors, and make it easy for other parts of the skill to interact with unrelated backend endpoints without clear restriction or user awareness.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The add/edit/delete/http_put/http_delete methods expose remote state-changing operations even though the skill is described as an image-analysis diagnostic tool. If reachable by untrusted inputs or reused elsewhere, these methods could be abused to modify or delete remote resources, making the skill capable of unauthorized actions well beyond passive disease detection.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file implements a generic persistence layer plus user-account storage and mutation logic that is unrelated to fish surface symptom detection. In the context of a vision-based aquarium health skill, hidden local user database capabilities materially expand the skill's data-handling scope and create an unjustified storage surface for personal data and tokens.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The User model stores identity and authentication-related fields such as username, email, token, and open_token without any justification from the declared fish disease analysis purpose. Retaining such sensitive values in a local SQLite database increases the risk of credential/token disclosure, lateral account compromise, and privacy violations if the host or database file is accessed.

Intent-Code Divergence

Medium

Confidence: 76% confidence
Finding: The class is presented as a generic reusable DAO, but initialization performs a hard-coded ALTER TABLE on sys_user. This hidden side effect undermines least surprise, couples unrelated models to a user table, and can silently mutate local schema whenever the DAO is instantiated, which is especially suspicious given the skill's unrelated fish-analysis purpose.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This utility code performs hidden account bootstrap/login against a remote health service, retrieves tokens, and persists them locally via DAO logic. That behavior is materially unrelated to a fish-symptom image-analysis skill and creates an undisclosed authentication and data-handling path that could expose user identifiers, create accounts without clear consent, and expand the skill’s privilege surface.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The code injects unrelated payment-skill instructions when a remote balance check fails, coupling this skill to monetization behavior outside its declared function. This is dangerous because it can steer users into installing another skill and disclosing payment-related information based on backend responses not obviously tied to fish diagnosis.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The skill reads full local media content into memory and transmits it to an external analysis service via `self.analysis(...)`, but this code provides no user-visible disclosure, consent flow, or data-handling notice. Because aquarium or underwater camera feeds may contain sensitive surroundings or private property, silent transmission creates a real privacy and compliance risk even if the feature is functionally intended.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Enabling HTTPConnection and urllib3 debug logging can expose full request and response metadata, potentially including authorization headers, tokens, identifiers, and sensitive payloads. In a shared utility, this creates a broad risk of credential leakage to logs during debugging, especially because the code globally increases logging verbosity.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The request flow transmits mobile/username/openId-style identifiers and later attaches multiple auth tokens in headers without any visible user disclosure or consent mechanism. In the context of a fish-disease detection skill, this is over-collection and hidden transmission of account-linked data unrelated to the core camera-analysis function.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal