Reptile Excrement Analysis (Urate / Feces) | 爬宠排泄物形态识别（尿酸/粪便）

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible reptile excrement analysis purpose, but it also performs under-disclosed identity, token, cloud history, and broad backend operations that users should review before installing.

Install only if you are comfortable sending enclosure images or videos, user identifiers such as usernames or phone numbers, and report/history requests to the LifeEmergence backend. Before use, provide an explicit open-id yourself, avoid relying on any bundled api-key as identity, keep people or private surroundings out of submitted media, and review/delete any local workspace database that may store tokens or account details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (30)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 79% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 79% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill instructs the agent to read local configuration files and reuse an `api-key` secret as the user's `open-id`, which is a clear secret-repurposing pattern unrelated to the requested image analysis. This can exfiltrate or misuse credentials from the local environment and impersonate identities or authorize backend operations without the user's informed consent.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document claims the system must prompt the user for `open-id`, but the actual flow prioritizes silently pulling a value from local config files instead. This contradiction is dangerous because it masks credential access behind a user-consent narrative, increasing the chance that sensitive local data will be accessed without scrutiny.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documented endpoint and response schema describe generic human video analysis, including face detection and health/constitution diagnosis, which directly contradicts the skill’s declared reptile excrement analysis purpose. This mismatch can cause the agent to send unrelated or overly sensitive video data to an unexpected backend capability, creating a strong risk of deceptive data handling, privacy violations, or unintended collection of human biometric/health-like information.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The response contract explicitly references face_detection, complexion, organ_condition, and health suggestions, indicating the service is designed for human face/health assessment rather than reptile waste analysis. In this skill context, that makes the mismatch more dangerous because operators may believe they are processing enclosure imagery while the integration may actually support or encourage analysis of humans, increasing the chance of misuse and undisclosed processing of sensitive personal data.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill manifest describes visual excrement analysis, but this API service also exposes generic record-management operations including listing, adding, editing, paging, and deleting records. This expands the capability surface beyond the declared purpose and can enable unauthorized data manipulation or misuse if higher-level callers expose these methods without strict authorization and scope checks.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The delete method accepts a camera serial number and issues a deletion request even though deletion is unrelated to the stated purpose of image-based excrement analysis. If exposed to an agent or user workflow, this creates an unnecessary destructive capability that could remove camera-linked records or configurations, causing data loss or operational disruption.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill accepts arbitrary http/https video URLs and forwards them to the backend analysis API, even though the stated purpose is analysis of images or frames from a fixed reptile-enclosure camera. This broadens the trust boundary and can enable misuse of the backend for analyzing unrelated remote content, potentially violating expected data-flow restrictions and allowing policy bypass or unintended third-party data ingestion.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The report-listing function exposes access to historical analysis records, which is broader than the manifest's stated single-analysis purpose. If reachable by an agent or user without strict authorization boundaries, it can reveal prior reports and metadata unrelated to the current task, increasing the risk of unintended data exposure.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The code constructs export-image links for analysis reports and returns them in user-facing output, adding a data export capability beyond simple on-screen analysis. If these links are accessible without strong access controls or are exposed to unintended recipients, report artifacts may be downloaded or shared outside the expected workflow.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The script’s exposed functionality goes beyond the stated enclosure-camera excrement/frame analysis use case by accepting arbitrary local video paths or remote video URLs and invoking a generic analysis routine. This scope mismatch increases the chance the skill can be repurposed to analyze unrelated content or exfiltrate media to a backend without users understanding the broader capability.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The history-listing feature retrieves analysis records by open_id even though this capability is not necessary for the declared image/frame stool analysis task. If authorization is weak downstream, an attacker could enumerate or retrieve another user’s analysis history by supplying alternate identifiers, creating a privacy exposure.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This file implements a generic API wrapper with broad CRUD operations and arbitrary HTTP methods that are not constrained to the stated reptile excrement image-analysis purpose. In an agent/skill context, such overbroad network capabilities expand the attack surface and can be abused by other components or prompts to access unintended internal or external services, making the skill more dangerous than its declared functionality suggests.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This file implements generic persistent CRUD operations plus user-account management, which materially exceeds the manifest's narrow reptile excrement image-analysis purpose. Such hidden surplus capability expands the attack surface and enables storage or manipulation of user data unrelated to the advertised function, making the skill context significantly more suspicious.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The User model stores identity fields and sensitive token material (token, open_token, email, realname) despite no evident need for such data in a reptile feces-analysis skill. Unnecessary credential and identity storage increases privacy risk, creates a valuable target for compromise, and is especially concerning because it is disconnected from the stated skill purpose.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The file exposes a generic `ai_chat(prompt, session_id, timeout)` capability that is not constrained to the manifest's stated reptile-excrement image-analysis purpose. In an agent/skill ecosystem, this broader interface can be repurposed for arbitrary prompt handling or delegated model actions, expanding the attack surface and enabling unintended data processing or misuse beyond the declared scope.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The utility performs automatic account lookup, remote login/registration, token acquisition, and local persistence despite the skill being described as reptile excrement image analysis. This hidden identity and account-management behavior expands the skill's privileges and data handling far beyond its stated purpose, creating a material risk of undisclosed data collection and unauthorized account provisioning.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code injects a payment/recharge workflow into low-level request handling, which is unrelated to the stated visual-analysis purpose. Embedding monetization prompts in shared utility code creates an unexpected control path that can steer users into account/payment actions whenever certain server responses occur.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This shared utility implements broad remote API access, token/header injection, automatic user association, retry logic, and persistence that substantially exceed the manifest's narrow AI image-analysis claim. In context, that mismatch is dangerous because the skill can act as a general networked client with identity state, increasing the attack surface and enabling undisclosed data flows.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill says uploaded image/video attachments will be automatically saved as local files, but it does not provide clear up-front notice, retention details, or consent language tied to that storage action. Media from enclosures or facilities can contain sensitive operational data, and silent persistence increases privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill directs the agent to access configuration files containing sensitive values and treat those values as inputs for runtime behavior, without clear warning or necessity. Accessing local secrets in a content-driven workflow broadens the attack surface and can turn a benign-looking skill into a credential-harvesting mechanism.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The tool requires an open_id that may be a username or phone number and stores it in a global runtime variable, but provides no privacy notice, minimization, or handling guarantees. In a health-adjacent context involving animal care records, collecting direct identifiers without disclosure increases the risk of unintended personal data exposure, logging, or downstream misuse.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: Accepting a remote media URL for analysis can cause user-supplied animal enclosure images to be fetched or forwarded to external services without explicit consent or disclosure. Because the skill appears to perform AI analysis and imports shared request utilities, the context suggests possible network transmission of user media, creating a real privacy and data-governance risk even if not classic code-execution exposure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The API supports uploading video files or providing public video URLs but does not mention any privacy, retention, transmission, or third-party access considerations. Because enclosure cameras can easily capture humans, homes, or other sensitive context, the lack of disclosure and safeguards increases the risk of inadvertent exposure of private footage and unsafe transfer of media to external services.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal