Pet Breed & Individual Identification Skill | 宠物品种个体识别技能

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform pet media analysis, but it also under-discloses account creation, token storage, and broad remote data handling.

Install only if you are comfortable sending pet images/videos and a username or phone-based open-id to LifeEmergence/Open API services. Treat history lookup as cloud account data access, and be aware the skill may create/login an account and store returned tokens locally in the workspace data area.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (23)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill is presented as a pet recognition tool, but it also includes cloud-based historical report retrieval functionality that accesses prior user data. This expands the data-access scope beyond the apparent purpose, increasing the risk of unexpected retrieval or disclosure of historical records.

Description-Behavior Mismatch

Low

Confidence: 82% confidence
Finding: The documentation says uploaded media should be automatically saved locally, which is broader than a simple recognition-only function implies. Automatic local persistence of user files can create privacy and retention risks, especially if users are not clearly informed or if cleanup is not enforced.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The privacy section claims uploaded video is deleted immediately and not persistently stored, but earlier behavior says uploaded files are automatically saved locally and cloud history/report retrieval is supported. This contradiction can mislead users about actual retention and exposure, undermining informed consent and potentially causing unauthorized persistence of sensitive media.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill advertises pet breed and individual recognition, but this API wrapper also exposes generic CRUD-style management methods such as page, list, add, edit, and delete. That broadens the skill’s authority beyond inference/analysis into backend record manipulation, creating an unnecessary capability surface that could be abused by an agent or prompt flow to alter or remove data unrelated to the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The delete method allows deletion by cameraSn, which appears unrelated to the declared pet-recognition analysis function and suggests control over camera-associated records. In a skill context, an unjustified destructive operation is dangerous because it enables data loss or tampering if invoked accidentally, by prompt injection, or by a compromised orchestration path.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The documented endpoint performs human face detection and health/constitution diagnosis, which is materially different from the advertised pet breed and individual recognition capability. This mismatch is dangerous because it can lead to deceptive deployment, accidental collection of human biometric and health-related data, and use of a skill for purposes users did not consent to.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The file implements generic analysis-record operations and camera-associated resource handling, which does not align with the declared pet breed and individual recognition purpose. This mismatch is dangerous because it can conceal broader backend access and data-management behavior behind an innocuous manifest, increasing the risk of unauthorized data processing or misleading reviewers about the skill’s real capabilities.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The add, edit, and delete methods provide write/delete capabilities over analysis or camera-linked resources that are not justified by a pet-recognition assistant. Unnecessary modification endpoints expand the attack surface and could enable unauthorized tampering with backend records or devices if this skill is invoked in a broader agent environment.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The implementation exposes a generic file/URL submission and report retrieval workflow that does not appear constrained to pet breed or individual recognition. This mismatch increases the risk that the skill can be repurposed to upload arbitrary user videos/files to a backend analysis service, creating capability overreach and deceptive behavior relative to the declared skill purpose.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The code states that input must be a local or network video, which conflicts with the advertised pet-breed/individual-recognition function. This inconsistency can mislead users and reviewers about what data is being accepted and processed, increasing the chance of unintended sensitive-media submission to a broader analysis backend.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The code implements generic video analysis and history-listing behavior that does not align with the declared pet breed and individual recognition purpose. This capability mismatch is dangerous because it can conceal broader data-processing behavior than users or reviewers expect, increasing the risk of deceptive collection or exfiltration of user media and metadata through the referenced backend skill APIs.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The inline docs and CLI help text clearly describe a video analysis tool rather than a pet-recognition skill, reinforcing that the shipped behavior differs from the declared intent. Such contradictions are a security concern because misleading documentation can hide real functionality from users, auditors, and platform controls, undermining informed consent and making abuse harder to detect.

Description-Behavior Mismatch

High

Confidence: 89% confidence
Finding: This file defines persistent user-account storage and DAO behavior even though the declared skill is for pet breed and individual recognition. That mismatch increases the risk of unnecessary collection and retention of user identity and auth-related data, expanding the attack surface beyond the skill's stated purpose.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The model stores sensitive authentication-related fields such as token and open_token along with personal identifiers like username, realname, and email, despite being unrelated to pet recognition. Retaining such data locally in a generic SQLite store creates avoidable exposure if the host is compromised, logs leak, or another component can access the database file.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The HTTP utility silently performs account lookup, automatic login/registration via /sys/phoneLogin, and persistence of returned tokens/user data, even though the advertised skill is pet breed/individual recognition. This creates undisclosed identity/account actions and storage of credentials, expanding the skill's behavior far beyond user expectations and increasing privacy and account-abuse risk.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The request wrapper injects App-Id, access tokens, API keys, open tokens, tenant code, platform identifiers, and username metadata into outbound requests by default. For a pet-recognition skill, this hidden coupling to platform/account context broadens data exposure and enables backend interactions unrelated to the stated functionality.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code returns user-facing recharge/install instructions for an unrelated payment skill when a 402-like condition occurs. Embedding monetization and cross-skill workflow messaging inside a pet-recognition utility is inconsistent with the manifest and can steer users into unexpected account/payment actions.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The historical-report trigger phrases are broad enough to match ordinary conversation, which can cause unintended execution of cloud history queries. In a skill that accesses prior reports tied to an open-id, over-broad triggers increase the chance of accidental data exposure or unnecessary remote calls.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The default activation condition is overly broad for any uploaded pet image or video, which may trigger the skill when the user did not request breed or identity analysis. Broad auto-activation is risky here because the skill performs file handling and remote API interactions that should be user-intent driven.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The API accepts uploaded videos or public video URLs but provides no privacy, retention, consent, or data-handling guidance. Because video may contain people, homes, metadata, or other sensitive content, the absence of such warnings increases the risk of unintended surveillance, non-consensual collection, or insecure third-party transfer.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: For local paths, the code reads the entire file and packages it for upload to the remote analysis API without any visible consent prompt, notice, or minimization. In a skill advertised for pet recognition, silent transmission of arbitrary local media is dangerous because users may not expect their local files to be exfiltrated to an external service.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The CLI requires an --open-id value and describes it as an OpenID, user ID, username, or phone number, which are sensitive personal identifiers, yet there is no visible privacy warning, minimization, masking, or handling guidance. In the context of a mismatched skill that already obscures its real behavior, collecting such identifiers is more dangerous because it can link analyzed media and usage history directly to identifiable individuals without clear consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Outbound requests include user identifiers such as username/open ID/mobile-derived values along with multiple authentication tokens, without any disclosure or consent handling in this code path. If invoked by normal skill usage, users may have their identifiers and credentials propagated to external services unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal