婴儿趴睡窒息预警技能

Security checks across malware telemetry and agentic risk

Overview

This infant safety video skill may be legitimate, but it sends sensitive video and identity data to a remote service while under-disclosing account creation, token storage, and mismatched generic health-analysis components.

Install only after verifying the publisher and backend, and only if you are comfortable sending infant sleep videos, video URLs, usernames or phone numbers, and report-history requests to the remote service. Ask the publisher to document account creation, token storage, retention/deletion, and the exact infant-suffocation API contract before relying on it for safety alerts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (28)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The examples include a concrete placeholder open-id value immediately after stating that assumed or generated open-id values are forbidden. In practice, operators and downstream agents often copy example commands verbatim, so this contradiction can lead to use of a default/test identifier, causing cross-user data mix-ups, unauthorized record access, or improper attribution of safety reports.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documented APIs and scenario code are for pet health analysis, which materially conflicts with an infant suffocation warning skill. This kind of domain mismatch can cause the agent to call unrelated backends, route infant-related media or metadata into the wrong system, and produce unsafe or misleading outputs in a safety-critical context.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code injects a petType parameter into the analysis request inside an infant suffocation warning skill, which is inconsistent with the declared purpose and suggests code reuse or hidden functionality outside the manifest scope. Scope mismatch is dangerous because it can route data to unintended model behavior, undermine user trust, and indicate the skill may process subjects other than infants without disclosure.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The service exposes generic page/list/add/edit/delete operations even though the skill description emphasizes real-time suffocation-risk alerting rather than record management. Undeclared CRUD capabilities expand the attack surface, may enable unauthorized data enumeration or modification if reachable, and create a mismatch between the advertised function and the actual backend operations.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script exposes a history/listing function via `show_analyze_list()` that returns prior analysis outputs, but this capability is outside the stated real-time infant sleep warning purpose. In a safety-monitoring context involving potentially sensitive infant video analysis, an undocumented listing endpoint increases the chance of unauthorized access to historical records or metadata if access controls are weak or mis-scoped.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The CLI requires `--open-id` and describes it broadly as OpenID/UserId/username/phone, which permits collection of more identity data than is necessary for infant sleep analysis. Accepting broad identifiers raises privacy and correlation risks, especially when tied to infant monitoring records, and may encourage use of sensitive personal data without clear necessity or minimization.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The documented endpoint and response schema are clearly inconsistent with the stated infant suffocation warning purpose: it accepts generic video analysis input and returns face detection, constitution, and organ-health diagnostics unrelated to infant sleep safety. In a safety-critical skill, this mismatch is dangerous because integrators may rely on the skill for real-time suffocation alerts while actually invoking an unrelated health-analysis service, causing missed detections, unsafe decisions, and possible exposure of sensitive infant video to an unintended backend.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The implementation is a generic file/URL analysis and reporting client, not a narrowly scoped infant suffocation warning detector as declared in the manifest. This mismatch is dangerous because users may trust the skill with sensitive infant-monitoring data under false assumptions about purpose, processing, and safety characteristics, while the code appears capable of broader analysis/reporting workflows.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill exposes historical report listing and export URL generation unrelated to real-time infant suffocation alerts. In context, this increases data exposure risk because prior analysis results and report identifiers may be accessible through a skill that users expect to be focused only on live safety monitoring, creating unnecessary access to stored records.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The implementation exposes a generic video-analysis entry point and a history-listing feature, but nothing in this file enforces infant suffocation detection or limits processing to the declared safety use case. That mismatch is dangerous because a skill presented as infant safety monitoring may actually act as a general-purpose media analysis wrapper, increasing the chance of undisclosed data collection, repurposing, or deceptive capability claims.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The history-listing capability retrieves prior analysis output through a generic function without showing any purpose limitation, authorization check, or minimization tied to infant safety alerts. In a safety-monitoring context, retaining and exposing analysis history can leak sensitive video-derived information about infants, caregivers, or household activity if accessed by the wrong user or process.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: This file implements a broad, reusable API client with generic GET/POST/PUT/DELETE and CRUD helpers that are not constrained to the narrowly described infant suffocation warning purpose. In a safety-monitoring skill, such unrestricted network capability expands the attack surface, enables unexpected data exfiltration or remote command-style integrations, and makes it easier for other parts of the skill to contact arbitrary backend endpoints without purpose limitation.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The exposed http_post/http_put/http_get/http_delete methods accept caller-supplied URLs and forward requests directly, creating effectively unrestricted outbound network access from the skill code. Even if intended as convenience wrappers, this design can be abused by other components to send data to unintended destinations or perform unauthorized remote actions unrelated to infant safety monitoring.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The module implements generic user-account persistence, including identity fields and token storage, which is unrelated to an infant suffocation warning skill. In a safety-focused skill, collecting and persisting unrelated account data materially expands the attack surface and creates unnecessary privacy and security risk without clear functional justification.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The User model stores authentication-style secrets and profile data such as token, open_token, email, birthday, age, and sex, none of which are justified by the stated purpose of detecting unsafe infant sleep conditions. If compromised, these fields expose sensitive personal data and reusable credentials, making the impact much higher than ordinary metadata leakage.

Intent-Code Divergence

Medium

Confidence: 78% confidence
Finding: The top-level documentation describes a generic lightweight CRUD wrapper, but the implementation includes a hardcoded sys_user table, token-bearing fields, and schema alteration logic. This mismatch hides the true security-relevant behavior of the module, making review, consent, and risk assessment harder and increasing the chance that sensitive data handling goes unnoticed.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: This utility code performs account creation/login against an external service, retrieves tokens, and persists them locally, which is unrelated to the stated infant sleep-safety purpose of the skill. In the context of a safety-monitoring skill, hidden identity provisioning and credential storage materially expand the trust boundary and can expose users to unauthorized account creation, credential misuse, and silent data sharing.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file implements a broad authenticated API client with token injection, retry logic, tenant/user attribution, and billing-related handling that goes well beyond infant suffocation alerting. This unnecessary capability increases attack surface and creates opportunities for unintended outbound requests, over-collection of user identifiers, and coupling to monetization flows not expected from the skill description.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The default trigger is broad enough to activate the skill for essentially any infant sleep monitoring video request, without requiring explicit user intent for cloud analysis or alerting. Over-broad invocation can cause unintended processing of sensitive footage, surprise network transmission, and accidental use of a high-impact safety workflow when the user only wanted generic video help.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill auto-triggers historical alert queries based on vague keywords, which can cause retrieval of cloud-hosted infant safety records when the user did not clearly request account-specific history access. Because those records are tied to an open-id and may contain sensitive timestamps and report links, unintended invocation increases privacy and authorization risk.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill automatically saves uploaded monitoring videos locally and sends data to a cloud API, but the description and flow do not prominently disclose this handling of highly sensitive infant surveillance data. This undermines informed consent and can expose private household footage, timestamps, and linked reports to unnecessary retention, breach, or misuse.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The document states that API Key authentication and file upload are used but gives no guidance on secure credential handling, storage, transmission, or treatment of uploaded data. In a skill that may process infant images or video frames, this omission increases the risk of credential leakage, insecure integrations, and improper handling of sensitive data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The analysis flow sends an input path or URL into `skill.get_output_analysis(...)`, implying network-based processing, but the user-facing behavior does not clearly warn that local video content or remote URLs may be transmitted to an external service. Because the subject matter is infant sleep monitoring, this can expose highly sensitive household video data without informed consent, making the omission more serious in context.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The API supports uploading videos or submitting public video URLs, but the documentation provides no privacy, retention, consent, encryption, or data-handling guidance. Because this skill processes infant video in a highly sensitive context, the omission increases the risk of exposing personally sensitive footage, accidental third-party access via public URLs, and noncompliant handling of children's data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code reads and uploads local file contents or submits arbitrary remote video URLs to a backend analysis API without any user-facing notice in this file. In an infant-monitoring context, that can involve highly sensitive household and child video data, so silent transmission materially increases privacy and consent risk even if the backend is legitimate.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal