包裹检测技能

Security checks across malware telemetry and agentic risk

Overview

This package-detection skill should be reviewed because it bundles and imports unrelated face/health analysis code and uses external account, token, and media-handling flows that are not clearly disclosed.

Install only after confirming the publisher intended to ship the bundled face/health analysis components, the external lifeemergence services are trusted, and users understand that media, identifiers, and report history may be sent to cloud APIs and that tokens/profile data may be stored locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (32)

Intent-Code Divergence

High

Confidence: 91% confidence
Finding: The English documentation describes chronic-disease monitoring and symptom analysis, while the rest of the skill is for package detection. This mismatch can mislead reviewers and users about the skill's true purpose and data handling, increasing the chance that sensitive media is processed under false expectations.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The README documents a face-based health/physiognomy analysis capability that is unrelated to the declared package-detection surveillance skill. This kind of capability mismatch is a strong indicator of hidden or mislabeled functionality, and here it involves sensitive biometric and health inference processing, which materially raises the risk of privacy abuse and deceptive deployment.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Documenting health or physiognomy analysis on face videos is unjustified in the context of a package-detection surveillance skill and suggests covert collection or repurposing of facial data. Because the functionality infers sensitive personal attributes from video, misuse could enable unauthorized profiling, privacy violations, and regulatory noncompliance.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file documents a face-analysis and health-diagnosis API even though the declared skill is for package detection. This capability mismatch is dangerous because it can conceal undeclared biometric and health-processing behavior behind an innocuous inventory/surveillance use case, undermining user consent, review, and policy enforcement.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The documented response includes face-based health and physiological inferences such as organ condition and constitution, which are highly sensitive attributes and unjustified for a package-detection skill. Embedding this in a mismatched skill suggests covert collection or inference of biometric/health data, creating serious privacy, compliance, and abuse risks.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This file defines health and face-analysis API routes inside a skill advertised as package detection, indicating clear capability mismatch and likely code reuse or mispackaging. In a deployed agent, this can cause the wrong backend service to be invoked, exposing sensitive biometric or health-analysis functionality and creating a serious trust-boundary violation.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The comment explicitly describes a traditional Chinese medicine face-diagnosis analysis tool, which materially contradicts the declared package-detection functionality. This is dangerous because it strongly suggests hidden or mislabeled biometric/health-processing behavior, which can lead to unauthorized collection or transmission of especially sensitive personal data.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The implementation is clearly unrelated to the declared package-detection skill and instead performs face-analysis/medical-style diagnosis. This kind of capability mismatch is dangerous because it can trick operators into deploying a skill under false pretenses, leading to unexpected collection and processing of sensitive biometric and health-adjacent data.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The comments/docstrings present generic video/API analysis while the actual code delegates to face-analysis and later emits diagnostic-style output, obscuring the real function of the skill. This deceptive presentation increases the chance that reviewers or users will misunderstand what data is processed and what the skill actually does.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file is wired for face/health analysis and report export despite the declared skill being package detection. This kind of capability mismatch is dangerous because it can silently invoke sensitive biometric/health processing under a misleading package-detection label, causing unauthorized collection or disclosure of highly sensitive data.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The inline documentation explicitly describes face-diagnosis report listing, which contradicts the advertised package-detection purpose. In context, this is more than a cosmetic mismatch: it signals hidden access to sensitive medical/biometric report data and increases the chance that operators will enable or approve the skill under false assumptions.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code enumerates historical face/health analysis reports and generates report-image URLs, functionality unrelated to package detection. This creates a clear unauthorized data exposure path because a user expecting parcel detection could instead access a listing of sensitive reports, potentially at scale.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: This file exposes a generic set of network CRUD wrappers (add, edit, delete, http_get/http_post/http_put/http_delete) that can send arbitrary requests to caller-supplied URLs, which is broader than the stated package-detection purpose. In an agent-skill context, such reusable outbound network primitives can be repurposed for unintended data exfiltration, lateral service access, or remote control if other parts of the skill or platform pass untrusted inputs into them.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The implementation is a reusable remote API client abstraction rather than logic tied to package detection, including pagination and generic request forwarding. In isolation this looks like convenience code, but inside a narrowly scoped surveillance skill it expands capability beyond declared functionality and increases the attack surface for unauthorized outbound communications or abuse by downstream components.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The file implements persistent user-account storage and mutation functionality even though the declared skill is for package detection in surveillance scenes. This mismatch expands the skill's data-handling scope and creates unnecessary capability to store and modify identity-related records, increasing privacy and misuse risk if the skill is deployed with broader access than expected.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The User model stores authentication- and profile-like fields including token, open_token, email, birthday, age, and sex, which are unrelated to package detection. Collecting and persisting these fields unnecessarily raises the risk of credential exposure, privacy violations, and secondary abuse if the local SQLite database is accessed by other components or an attacker.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The file defines an `ai_chat` capability that can construct an `openclaw agent` command using arbitrary prompt input, even though the skill is described as package detection. This expands the skill's effective capabilities beyond its declared purpose and could enable unintended agent invocation paths if the method is reachable elsewhere in the system.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This shared utility performs broad authenticated network operations, injects tenant/platform/user metadata, retries authorization, and even provisions accounts, which is far beyond a package-detection skill's expected scope. In this context, the code creates a hidden data-exfiltration and remote-service dependency path that could transmit user identifiers, tokens, and request payloads to external systems without clear user awareness.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The _get_or_create_user flow silently sends a username/mobile/openId to an external /sys/phoneLogin endpoint with register=1 and silent=1, enabling automatic login or account creation. For a package-detection skill, this is unjustified and dangerous because it can create external identities and disclose personal identifiers without explicit authorization.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The code intercepts HTTP 402 responses and returns scripted instructions telling the user to install and use a payment skill. While likely commercial rather than overtly malicious, this embeds billing/upsell behavior unrelated to package detection and can manipulate the user into installing additional capabilities after a failed network request.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The history-report trigger phrases are broad enough to activate report-listing behavior on common user requests that may not clearly intend this skill. In a multi-skill environment, this can cause unintended retrieval and display of historical package-analysis records, potentially exposing prior report metadata to the wrong conversational context.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill states that uploaded media will be automatically saved into a local attachments directory without a clear user-facing notice or retention policy. Local persistence of surveillance images or videos increases privacy and data-retention risk, especially if files remain accessible after processing.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill indicates that local files and public URLs are sent to an external API service for analysis, but it does not clearly warn users that their media leaves the local environment. Because the inputs are surveillance images/videos, undisclosed transmission can expose sensitive visual data, locations, and operational details to a third party.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The skill instructs the agent to request a username or phone number as the required open-id, making real-world identifiers part of routine processing without offering a less sensitive alternative. This unnecessarily increases collection of personal data and raises privacy, correlation, and misuse risks if logs or reports are exposed.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to submit local or remote face videos to an API but does not clearly warn that sensitive biometric data will be transmitted to an external service. In the context of face and health analysis, this omission is dangerous because users may unknowingly expose highly sensitive personal data without understanding transmission, retention, or third-party processing risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal