��⿴��ܼ��

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches an outdoor monitoring service, but it also performs account-linked cloud processing and local token storage that are not clearly disclosed enough for sensitive surveillance media.

Review before installing. Use this only if you are comfortable sending outdoor camera images/videos or public media URLs to the provider's cloud service, linking reports to an open-id/username/phone-like identifier, and allowing the skill to store service tokens locally. Do not use an API key as an identity value, avoid sensitive footage unless the provider's retention and access controls are acceptable, and prefer explicit confirmation before querying historical reports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (31)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 83% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 83% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The instructions tell the agent to obtain an open-id by reading api-key values from local configuration files, conflating authentication secrets with user identity. This encourages secret harvesting from local files unrelated to the user request and can expose credentials from the workspace or other shared components.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: This service implements record-management capabilities (list, add, edit, delete, and paginated retrieval) that go beyond the manifest’s stated purpose of outdoor image-analysis. Expanding the skill’s operational scope increases the attack surface and may allow unauthorized data manipulation or inventory management actions if the host agent exposes these methods without strict authorization boundaries.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The delete method provides a destructive record-management operation that is not justified by the described outdoor monitoring analysis function. If exposed through the skill, an attacker or over-privileged caller could delete camera or analysis-related records by supplying a camera serial number, causing data loss, disruption of monitoring workflows, or tampering with operational state.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The documented API behavior is materially inconsistent with the skill's declared purpose of outdoor target detection. Instead of returning object-detection results for people, vehicles, pets, or regions, it returns face-related and medical/constitution diagnosis data, creating a strong risk that the skill is miswired to an unrelated or privacy-invasive backend and could cause users to upload surveillance video for undisclosed biometric or health-style analysis.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: A 'common-analysis' endpoint that returns medical or constitution-diagnosis content for uploaded video contradicts the monitoring use case and signals potentially unsafe data repurposing. In this skill context, users would reasonably expect object detection for outdoor surveillance, not processing that may infer sensitive personal attributes from faces, which raises privacy, consent, and trust concerns.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is described as an outdoor monitoring/image analysis capability, but this file also exposes add, edit, and delete operations for camera-related records. That expands the skill's authority from analysis into configuration management, violating least privilege and creating a pathway for unauthorized modification or removal of surveillance assets if the skill is invoked with broader permissions.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The implementation accepts arbitrary local files or remote video URLs and submits them for generic analysis, which materially exceeds the advertised outdoor image-target detection scope. This capability mismatch is dangerous because users or orchestrators may trust the skill with a narrower permission and data-handling profile than the code actually exercises, enabling unintended processing or exfiltration of sensitive media from local paths or external URLs.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The skill exposes report listing and export-link generation features that are not part of the narrow monitoring-analysis description, expanding access from analysis to historical report discovery. In practice this can expose metadata and report URLs to callers who expected only per-file inference, increasing the chance of unintended data disclosure across prior analyses.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: Comments and field handling reference health/constitution analysis concepts inconsistent with an outdoor monitoring skill, suggesting code reuse across unrelated domains. This is risky because it may cause the skill to process, expose, or mislabel health-related data under an innocuous surveillance manifest, creating hidden sensitive-data handling and misleading downstream users about what is being inferred.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The implementation materially differs from the skill manifest: it performs video analysis and exposes a video history listing rather than the declared outdoor image-analysis behavior. This kind of capability mismatch is dangerous because users, reviewers, and policy controls may grant access based on the advertised purpose while the code processes broader or different data, increasing the risk of undisclosed surveillance and unauthorized data handling.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The inline docs and CLI help explicitly present this as a video analysis tool, contradicting the manifest's image-analysis description. Such contradictory messaging can conceal the true operational scope from operators and governance systems, making it easier to deploy a more privacy-invasive function than intended in an outdoor monitoring context.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is described as outdoor target-detection for images, but this file defines persistence for user accounts, emails, birthdays, and tokens. That mismatch increases risk because the skill has hidden data-collection and credential-storage behavior unrelated to its stated purpose, which expands the attack surface and can facilitate covert retention of sensitive user data.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The code derives a writable path from the workspace environment and creates a local database under a shared data directory, capabilities not justified by the declared surveillance-analysis purpose. In this skill context, undisclosed local persistence is more dangerous because it can silently retain operational or personal data and create unintended cross-skill data exposure within the workspace.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The file defines an `ai_chat` capability that is unrelated to the advertised outdoor image-monitoring purpose, creating hidden functionality that could later be used to send arbitrary prompts to an external agent. Even though the subprocess call is currently commented out, the code scaffolding, session generation, and logging indicate latent agent-execution behavior that expands the attack surface and violates least-functionality expectations for this skill.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The docstring claims the method invokes an external `openclaw agent` via subprocess, but the implementation does not do so and instead uses a dummy `result` object. This mismatch is dangerous because it obscures the true behavior of the skill, can mislead reviewers about actual execution paths, and may hide unfinished or intentionally disabled command-execution logic that could be re-enabled without proper review.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The HTTP helper performs account lookup, auto-registration/login via /sys/phoneLogin, then stores returned token and openToken locally through the DAO. That behavior is unrelated to a utility module for outdoor image monitoring and silently creates or reuses identities, expanding the skill’s privileges and creating privacy and account abuse risk if triggered without explicit user consent.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code intercepts HTTP 402 responses and injects a recharge/payment workflow message into this skill’s behavior. Payment handling is outside the stated purpose of outdoor monitoring analysis, so embedding it here creates hidden business logic and can steer users into unrelated account actions from a low-level utility path.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: An ambiguous default trigger can cause the skill to activate on loosely related user requests and process images or videos without sufficiently explicit consent. In a surveillance-oriented skill, unintended invocation is more dangerous because it may lead to local file saving, external API calls, and report creation using sensitive media.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The history-report keywords are broad enough to trigger cloud queries and identity-related workflows from casual phrasing. Because report queries involve open-id handling and retrieval of prior surveillance records, over-triggering can expose sensitive historical data or prompt unnecessary account-linked operations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill states that uploaded attachments are automatically saved as local files without prominently warning users in the description. Automatic local storage of surveillance images or videos creates privacy risk, especially when the media may contain people, property, or other sensitive scenes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation says network URLs are passed to an external API service for automatic retrieval, but does not clearly warn users that third-party infrastructure will fetch and analyze the referenced content. This can disclose sensitive URLs, access patterns, or media contents to an external service without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill collects an open-id, potentially using a username or phone number, and queries cloud report history without a clear privacy disclosure. In a surveillance context, linking monitoring reports to personally identifying information materially raises the risk of privacy invasion, account correlation, and unauthorized access to sensitive records.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs users to upload video files or provide public video URLs to a remote API but does not clearly warn that surveillance footage is transmitted off-device for third-party processing. For an outdoor monitoring skill, this omission is significant because footage may contain bystanders, vehicles, and private property, and users may unknowingly expose sensitive visual data to an external service.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal