Stranger Proximity Alert Skill | 陌生人靠近预警技能

Security checks across malware telemetry and agentic risk

Overview

The skill has a plausible child-safety purpose, but it sends sensitive minor-related media and identifiers to remote services while also auto-registering users and storing tokens locally with limited disclosure.

Review this before installing in any setting involving children. Only use it if you are comfortable sending monitoring footage, public media URLs, and user identifiers to the publisher's remote service, and verify how reports, tokens, and uploaded media are retained or deleted. Rotate or remove the bundled api-key and avoid using personal phone numbers as open-id unless the account and privacy model is clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (24)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 82% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 82% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill conflates an api-key from local configuration with a user open-id, even though open-id is also described as a username or phone number. This identity confusion can cause credentials to be misused as user identifiers, leading to improper account binding, accidental disclosure of secrets, or requests being executed under the wrong identity.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documented response includes physiognomy and health-diagnosis fields such as constitution, organ condition, and health warnings, which are unrelated to a stranger-near-minor safety skill. In this context, that mismatch strongly suggests the skill may transmit sensitive video data to a backend that performs undisclosed biometric or health inference, creating a serious privacy and safety risk, especially because minors are the stated target population.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The API behavior described is for analyzing uploaded video for face/health-related diagnosis rather than detecting strangers approaching minors. That is a material capability mismatch: users of a child-safety skill could be misled into sending videos of minors to an unrelated analysis service, enabling unauthorized collection and processing of highly sensitive biometric data.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: This file exposes generic CRUD-style operations such as page, list, add, edit, and delete, which go beyond the narrowly stated purpose of detecting stranger approaches and issuing alerts. Broad management capabilities enlarge the skill's authority and attack surface, making it easier for a compromised caller or misconfigured integration to manipulate stored analysis records rather than only consume safety detections.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The delete method permits removal of records by cameraSn, which is not clearly necessary for a skill whose advertised purpose is warning about strangers near minors. In a child-safety context, deletion of evidence, alerts, or device-linked records could suppress incident history and hinder auditing or investigation after a real event.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The implementation accepts arbitrary local files or arbitrary remote URLs and forwards them to a generic analysis backend, while the skill metadata presents a narrowly scoped stranger-approach warning function. This scope mismatch can cause users or integrators to submit unrelated sensitive media under misleading expectations, increasing the risk of unintended data exfiltration and policy bypass through a broadly capable wrapper.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The report listing and export functionality expands the skill beyond real-time warning into retrieval of historical analysis artifacts, which may include sensitive child-safety surveillance results. If exposed to unauthorized callers or loosely permissioned contexts, this increases privacy and data leakage risk because prior reports and export links become accessible through a skill marketed as a simple alerting feature.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file exposes a generic service layer with add/edit/delete and raw HTTP verb helpers that can send requests to caller-supplied URLs, which is materially broader than the skill's declared purpose of detecting strangers near minors and issuing alerts. In a safety-focused skill, this unnecessary network capability increases the blast radius for data exfiltration, unauthorized backend interaction, or abuse by other parts of the skill that can route arbitrary requests through this wrapper.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The http_post/http_put/http_get/http_delete methods accept arbitrary URLs and forward requests directly, creating a general-purpose network primitive inside a skill whose manifest does not justify broad outbound connectivity. If any upstream input can influence the URL or payload, this can enable exfiltration, access to unintended internal or external services, or abuse of the skill as a proxy.

Context-Inappropriate Capability

Medium

Confidence: 76% confidence
Finding: Username lookup is not obviously needed for detecting nearby strangers or issuing local safety reminders, so it represents extra identity-related capability beyond the stated purpose. Even if benign, unnecessary account-lookup functions can facilitate user enumeration or collection of personal information when incorporated into a broader workflow.

Context-Inappropriate Capability

High

Confidence: 78% confidence
Finding: The User model persists authentication-like secrets (token, open_token) in a local SQLite database as plain string fields, with no encryption, hashing, access controls, rotation policy, or justification tied to the child-safety purpose. If the host filesystem or workspace is accessible, these secrets can be stolen and reused, leading to account compromise or unauthorized API access.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This utility layer performs broad network interaction, authentication handling, retry logic, and service integration far beyond the declared purpose of a stranger-warning safety skill. In context, this creates an unjustified capability surface that can transmit user data and invoke unrelated backend actions, increasing privacy and abuse risk if the skill is installed or repurposed.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code can automatically register or log in a user by sending phone/openId-derived identifiers to a remote endpoint with silent and register flags enabled. For a child-safety warning skill, covert account provisioning is unrelated to core function and can create unauthorized accounts, privacy violations, and identity linkage without informed consent.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: On a 402 condition, the code returns instructions to install a payment skill and recharge the account, which is unrelated to the advertised stranger-warning purpose. This is dangerous because it introduces monetization and cross-skill steering behavior inside a safety-focused skill, potentially manipulating users during a trust-sensitive workflow.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The code loads, stores, and updates user tokens and profile information locally through DAO operations, despite this not being justified by the manifest. Persisting authentication material and profile data expands the blast radius of compromise and creates unnecessary retention of sensitive information for a minor-safety skill.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The automatic trigger rules include broad phrases such as '历史报告', which may invoke remote history-report queries when the user did not intend to access surveillance records. In a child-safety monitoring context, unintended retrieval of historical reports can expose sensitive surveillance metadata and report links.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill asks users to submit personal identifiers such as username or phone number for report storage and querying, but does not clearly disclose the privacy and security implications of sending those identifiers together with surveillance media and historical records to a remote service. In this context, the data concerns minors and location/activity monitoring, making inadequate notice materially risky.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs clients to upload video files or provide public video URLs but gives no warning about external transmission, retention, or handling of sensitive footage. Because the skill is meant for environments involving minors, omission of privacy and data-transfer disclosures materially increases the risk of accidental exposure of children’s images and surroundings to third-party services.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code reads the full contents of a local file and sends them to an external analysis API without any visible user-facing disclosure, confirmation, or minimization in this component. In a child-safety surveillance context, uploaded videos may contain highly sensitive footage of minors, making silent transfer to a backend materially risky from a privacy and compliance standpoint.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The CLI requires an open_id and uses it for remote list/analysis operations, but the code provides no privacy notice, consent prompt, masking, or minimization of this identifier. Because the accepted values include OpenID, user ID, username, or phone number, this can transmit personally identifiable information to a backend without adequate disclosure, creating privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The tool announces that it is analyzing video and then forwards a local file path or remote URL to backend analysis logic without clearly disclosing that video content may be uploaded or otherwise transmitted to a remote service. In a child-safety context, video may contain minors and other sensitive surroundings, so undisclosed remote processing materially increases privacy risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: HTTP requests attach user identifiers and authentication headers and may also include tenant, platform, and username metadata, yet there is no visible user-facing disclosure or consent mechanism in this file. In the context of a child-safety skill, undisclosed transmission of identity and token data is especially sensitive because it may involve households, minors, or caregivers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal