Reptile Feeding Refusal / Vomiting Detection | 爬宠进食拒绝/呕吐识别

Security checks across malware telemetry and agentic risk

Overview

This skill may analyze reptile videos, but it also uses cloud services, account identifiers, token storage, and record-management features that are not clearly scoped for that purpose.

Install only if you trust the publisher and remote service with reptile enclosure videos, supplied URLs, account identifiers, and locally cached tokens. Prefer a non-identifying open-id, avoid phone numbers or reused account secrets, and get clarification on retention, deletion, token storage, and whether add/edit/delete account-record APIs are intended to be available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (22)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 83% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 83% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill's stated purpose is analyzing reptile feeding videos, but it also mandates collection of an open-id and retrieval of cloud-hosted historical reports. That broadens data processing beyond the primary purpose and increases privacy risk by linking enclosure videos and health-related event history to an account identifier.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The manifest presents a fixed-camera analysis skill, but the documentation expands behavior to cloud report retrieval, persistent event management, and account-linked history queries. This mismatch undermines informed consent and makes it easier for users to trigger remote data operations they did not reasonably expect from the description.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to read local configuration files to obtain an API key/open-id before performing analysis. Reading credentials from workspace paths unrelated to the user-supplied task is a sensitive-data access pattern that can expose secrets and silently repurpose them for remote API calls.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill exposes add, edit, and delete record-management APIs even though its stated purpose is limited to analyzing reptile feeding and regurgitation videos. This expands the skill's effective capability beyond least privilege and creates an unauthorized data-modification surface if the skill is invoked by an agent or user who expects analysis-only behavior.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The delete(cameraSn) method provides a direct deletion capability unrelated to the advertised video-analysis function, enabling destructive actions against camera-associated records. In this context, hidden delete functionality is especially risky because users and orchestrators may grant the skill access expecting passive analysis, not irreversible modification or removal of records.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documented response schema is clearly unrelated to the declared reptile feeding/refusal/vomiting analysis capability: it returns face detection and human health-diagnosis fields instead. This kind of capability/documentation mismatch is dangerous because integrators may send animal video to an endpoint that performs a different analysis than advertised, causing unsafe downstream decisions, silent misuse of data, and possible exposure to an unintended model or service path.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The endpoint path `/api/v1/common-analysis` suggests a generic multi-purpose analysis service rather than a dedicated reptile-feeding behavior pipeline. In the context of a narrowly scoped skill, this raises the risk of routing sensitive video to a shared or misconfigured backend, increasing the chance of incorrect processing, unintended data reuse, or cross-capability confusion.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file defines a generic user-account model and DAO, including username, email, token, and source tracking, which is unrelated to the declared reptile feeding-video analysis purpose. This functionality increases data collection and persistence beyond the manifest, creating unjustified privacy and trust risk and suggesting scope creep that could support account tracking.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The User model persists token and open_token values even though the skill's stated purpose is local reptile video analysis. Storing authentication-like secrets without clear need materially raises the risk of credential leakage, unauthorized reuse, and silent account linkage if the database is accessed by other local components or exfiltrated.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This shared utility implements broad authenticated remote API access, token management, and user bootstrap logic that is unrelated to the stated reptile video-analysis purpose. In the context of a skill that should primarily analyze local enclosure camera footage, hidden generic network CRUD capability materially expands the attack surface, enables off-scope data transmission, and can be reused by other components to exfiltrate data or perform unauthorized remote actions.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The _get_or_create_user flow automatically calls a remote /sys/phoneLogin endpoint with register=1 and user identifiers, effectively provisioning or logging in accounts without any clear linkage to reptile feeding analysis. Automatic account creation/login using identifiers such as phone/mobile numbers is highly sensitive behavior and can expose user identity, create unwanted remote accounts, or facilitate backend tracking without informed consent.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The embedded payment/recharge workflow is off-purpose for a reptile-feeding video-analysis skill and indicates coupling to monetization/account infrastructure that users would not reasonably expect from the manifest. While not directly exploitable on its own, it is suspicious because it can steer users into installing additional skills or performing financial actions unrelated to the stated functionality.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The default trigger activates whenever a user provides a reptile feeding video, without requiring a clear opt-in for cloud-backed analysis. Overbroad triggering can cause unintended processing, upload, and retention of enclosure footage and associated metadata when the user may only want local discussion or generic advice.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The workflow describes uploading videos and identifiers to a cloud API and returning historical reports, but it does not prominently warn users that sensitive enclosure footage and account-linked metadata may leave the local environment. This lack of disclosure impairs informed consent and increases privacy/compliance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The API documentation instructs users to upload videos or provide public video URLs, but it does not explain retention, access controls, third-party processing, or any privacy/data-handling expectations. Even though the primary subject is reptiles, enclosure videos can still contain people, home interiors, locations, or other sensitive context, so omission of data-handling guidance can lead to unintentional privacy exposure.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The function forwards a user-supplied local path or URL into `skill.get_output_analysis(...)`, which likely performs external processing, yet the script provides no disclosure or safeguards around data transmission. In this skill context, the input is animal-care video that may contain personal surroundings or other sensitive visual data, so undisclosed upload or remote fetching creates a real privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script requires an `--open-id` that may be a username or phone number and stores it in a global configuration for subsequent operations, but gives no notice about how that identifier is transmitted, stored, or protected. In a consumer pet-monitoring workflow, this increases privacy risk and could enable account correlation or unintended exposure of personally identifiable information if backend handling is weak.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The DAO automatically creates a persistent SQLite database and performs schema modification on initialization without any disclosure, consent, or runtime notice. In a skill advertised for video analytics, silent local persistence of user-related data meaningfully increases privacy risk and makes it easier to accumulate sensitive state without operator awareness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code assembles and sends user identifiers, tenant metadata, skill identifiers, API keys, access tokens, and authorization tokens in outbound HTTP requests without any visible user-facing disclosure or purpose limitation. In a skill advertised for local reptile video behavior analysis, undisclosed transmission of identity and auth material is particularly dangerous because it violates user expectations and could expose sensitive account context to remote services.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The utility silently retrieves, persists, and injects tokens and API credentials into headers, creating opaque credential handling that users and reviewers would not expect from the manifest. This is risky because hidden credential workflows can enable unauthorized backend access, cross-feature privilege reuse, and difficult-to-audit data flows if other code calls this helper.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal