TCM Constitution Identification & Analysis Tool | 中医体质识别分析工具

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised health-style face/video analysis, but it also handles identifiers, account login, token storage, report history, and a bundled API key in ways users should review carefully.

Install only if you are comfortable sending face photos/videos and a username or phone-like identifier to the publisher's remote service. Review the bundled API key, report-history behavior, and local SQLite token storage first; avoid using someone else's phone number or identifier, and treat generated health guidance as informational rather than medical advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (32)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 85% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 85% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The file exposes generic list/add/edit/delete operations plus deletion keyed by `cameraSn`, which is materially broader than the declared TCM constitution-analysis purpose. This kind of capability mismatch is dangerous because it can enable unauthorized record management or device-associated data deletion through a skill that users and reviewers would reasonably expect to only perform health-analysis actions.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: `analysis()` silently injects a `petType` parameter into a skill advertised as human TCM constitution analysis, indicating the code may be wired to a different backend workflow than the manifest describes. This mismatch is risky because hidden parameter manipulation can redirect processing, produce incorrect medical-style outputs, or send user data into an unintended service context without informed consent.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The API documentation materially mismatches the skill’s stated purpose: the manifest describes TCM constitution recognition via facial features and physical signs, but the reference API is framed as generic video analysis. This kind of semantic mismatch is dangerous because it can hide undisclosed collection or processing of broader biometric/video data than users or integrators expect, weakening informed consent and increasing the chance of misuse or accidental over-collection.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: This skill exposes generic CRUD-style record-management methods (`page`, `list`, `add`, `edit`, `delete`) that go beyond the minimally necessary behavior for constitution recognition and recommendation generation. Even though these methods are not inherently exploitable in isolation, they unnecessarily enlarge the skill's authority and attack surface, enabling modification or removal of analysis records if invoked by an agent or downstream integration.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The `delete(cameraSn)` method provides destructive capability that is difficult to justify for a TCM constitution-recognition skill whose expected purpose is analyzing inputs and returning health guidance. In a skill context that should be read/analyze-oriented, exposing deletion by identifier increases the chance of unauthorized or accidental data loss, especially if an agent can call it without strong authorization or confirmation barriers.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill accepts either arbitrary local files or arbitrary remote video URLs and forwards them to a backend analysis service, while the declared purpose is narrowly framed as TCM constitution analysis from facial and physical signs. This creates an unnecessary broad data-ingestion surface that can be used to transmit unrelated or sensitive user content to the remote service without strong scope restriction, increasing privacy and misuse risk.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code accepts arbitrary http/https URLs and passes them as analysis input without constraining origin, content type, or business need. Even if the fetch happens server-side in the downstream API, this expands the system into a generic remote content ingestion path that can be abused for privacy-invasive processing, unexpected internal-network access by the backend, or processing of attacker-chosen content outside the skill's stated scope.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The implementation does not match the declared skill purpose of TCM constitution recognition; instead it exposes a generic video analysis entrypoint. Capability mismatch is dangerous because users, reviewers, and policy controls may grant trust or permissions based on the manifest while the code performs broader or different processing than expected.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The added history-listing capability is outside the stated purpose and increases access to previously processed data. Undisclosed data-retrieval features can enable unauthorized browsing of prior analyses or retention-related privacy issues, especially when users expect a one-shot health analysis tool.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script accepts arbitrary identifiers including username or phone number and uses them to retrieve analysis history, which creates an insecure direct object reference risk if the backend does not strictly verify ownership. In a health-related context, this could expose sensitive analysis records tied to real individuals.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file implements a generic API wrapper with pagination, CRUD-style mutation methods, and arbitrary GET/POST/PUT/DELETE helpers that can send requests to caller-supplied URLs. For a skill whose declared purpose is TCM constitution recognition and health suggestions, this is overbroad capability that enables unintended data exfiltration or interaction with remote services well beyond the stated function.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The http_post/http_put/http_get/http_delete methods expose arbitrary outbound network request capability to any caller of this service. In the context of a diagnosis-oriented skill, this is dangerous because it can be repurposed to send sensitive user data to unapproved destinations or perform unauthorized remote actions unrelated to constitution analysis.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The add, edit, and delete methods provide generic remote state-changing operations without any visible linkage to the skill's declared analysis-only behavior. Such mutation primitives increase the attack surface by enabling unauthorized creation, modification, or deletion of remote resources if exposed through higher-level skill flows.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The download URL generation method creates access URLs for remote objects using a caller-provided key and expiry value, which is not obviously required by an analysis-and-suggestion skill. If misused, it could expose stored files or broaden access to data objects outside the intended diagnostic workflow.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The module creates and mutates a persistent SQLite database under a workspace-derived path, which exceeds the manifest's described health-analysis behavior and introduces stateful side effects. In a skill expected to analyze constitution and provide suggestions, undisclosed local persistence increases privacy risk and broadens the attack surface for data retention and tampering.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: Full CRUD support for user records, including update and delete operations, materially exceeds the stated purpose of constitution recognition and health suggestions. This mismatch suggests over-collection and over-processing capabilities that could be abused to store, alter, or remove user data unrelated to the advertised function.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The User model stores identifiable and sensitive profile data including username, real name, email, birthday, age, sex, and tokens, which are not clearly necessary for TCM constitution analysis. In this skill context, collecting and persisting such data is more dangerous because health-related profiling combined with identifiers raises privacy, compliance, and account-security concerns.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The utility layer performs hidden user lookup, automatic account creation/login, token retrieval, and persistent token storage, which is unrelated to the stated TCM constitution analysis function. This creates an undisclosed identity and credential-handling channel that can enroll users in a backend system and persist authentication artifacts without clear consent.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code can return payment and renewal workflow instructions from a low-level request helper, which is outside the declared health-analysis purpose and indicates billing-related behavior embedded in infrastructure code. Mixing monetization prompts into request handling increases the risk of deceptive or unexpected user flows and can steer users into actions they did not anticipate.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The auto-trigger keywords for historical report queries are broad enough to activate report-listing behavior during ordinary conversation. In a health-related skill handling account-linked reports, unintended triggering can expose private report metadata or cause remote queries the user did not clearly authorize.

Missing User Warnings

High

Confidence: 96% confidence
Finding: Automatically saving uploaded face photos and videos to local storage without a clear up-front warning is risky because these are sensitive biometric/health-adjacent data. Silent persistence increases exposure to local compromise, accidental retention, unauthorized reuse, and regulatory/privacy issues.

Missing User Warnings

High

Confidence: 95% confidence
Finding: Requesting an open-id in the form of a username or phone number for report storage/querying without a strong privacy notice creates unnecessary collection of personally identifiable information. Combined with health-analysis context and remote API use, this can link sensitive reports to real-world identities and increase the consequences of leakage or misuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script requires a sensitive user identifier via the --open-id command-line argument, and command-line arguments are commonly exposed through shell history, process listings, job control tools, and logging systems. In this skill’s context, the identifier may be a phone number, username, or user ID tied to health-analysis output, which increases privacy risk because it links identity to sensitive wellness/medical-like data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal