Trauma Stress Behavior Detection (Emergency Scene) | 受灾人群心理创伤行为识别（应急场景）

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated emergency video-analysis purpose, but it needs review because it uploads highly sensitive shelter footage and identifiers to remote services while also creating/storing account tokens with limited disclosure.

Install only in an authorized emergency-response environment with clear legal authority, notice, and a data-handling agreement for remote video processing. Confirm where videos, reports, identifiers, and tokens are stored; how long they are retained; who can access history/export links; and whether local SQLite token storage and automatic account registration are acceptable for your deployment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (21)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 81% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 81% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill advertises no explicit permissions, yet its documented behavior includes reading config files, saving uploaded files locally, invoking shell commands, and sending videos and identifiers to a remote API. This mismatch undermines informed consent and platform policy enforcement, especially because the content handled is highly sensitive shelter surveillance and mental-health related footage.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill's documented purpose is trauma-behavior analysis, but the detected behavior includes backend login/registration using phone/open-id, token storage in local SQLite, unrelated petType support, and historical record/report retrieval. These hidden or weakly disclosed functions expand the attack surface, enable silent account creation or tracking, and create privacy and credential-handling risks far beyond the stated purpose.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The analysis method injects a petType parameter into a skill described as detecting acute stress behaviors in human disaster victims, which is a strong scope mismatch and suggests code reuse from an unrelated animal-analysis workflow. In a sensitive emergency-psychology context, sending incorrect classification parameters can cause systematic misanalysis, missed alerts, false alerts, and unsafe intervention decisions affecting vulnerable people.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The documented API behavior is materially inconsistent with the skill's stated purpose: instead of crowd trauma/stress-behavior detection, it describes face detection and health/constitution diagnosis outputs. In a disaster-shelter psychological triage context, this mismatch can cause operators or integrators to send sensitive footage to an unrelated biometric/health-analysis service, leading to unsafe decisions, privacy violations, and deployment of the wrong capability in an emergency setting.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The code accepts arbitrary remote video URLs and passes them for analysis, which expands the trust boundary beyond the stated fixed-camera deployment model. If downstream components fetch the URL server-side, this can enable misuse such as access to internal resources, unexpected data ingestion, or analysis of unapproved third-party content.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: This file implements a generic API wrapper with broad CRUD methods and arbitrary HTTP verbs that are not constrained to the declared trauma-behavior detection purpose. In a skill intended for narrowly scoped emergency-shelter video analysis, exposing reusable outbound request primitives materially expands capability and can enable unauthorized data exfiltration, interaction with unrelated backend services, or abuse by other components that import this helper.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The http_post/http_put/http_get/http_delete helpers accept arbitrary URLs and forward requests without visible restriction, creating a general outbound networking primitive. In this skill context, that is especially risky because the manifest describes psychological-alert analytics, not general network brokerage, so these methods could be repurposed for SSRF-style access to internal services, exfiltration, or command-and-control-like communications if attacker-controlled input reaches them.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file defines generic local persistence for user identities, birthdays, email addresses, and tokens, which is broader than the declared trauma-behavior video analysis purpose. In a disaster-shelter mental-health context, collecting and storing unrelated account data increases privacy risk and expands the attack surface around highly sensitive populations.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The model stores authentication-style token and open_token values in a local SQLite database, apparently in plaintext. If the database file is accessed by other local users, backups, or compromised processes, these credentials could be reused to impersonate users or access connected systems.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The shared HTTP utility performs account lookup, remote phone-login/registration, token acquisition, and local token persistence even though the declared skill is for video-based stress-behavior detection. This introduces undeclared identity-management capability and causes the skill to create or reuse user accounts and credentials as a side effect of ordinary requests, expanding both privacy and abuse risk well beyond the manifest-stated purpose.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The helper `_get_or_create_user` automatically calls a remote `/sys/phoneLogin` endpoint with `register=1`, using the current username as both `openId` and `mobile`, which can create remote accounts without clear authorization. For a shelter-monitoring psychological triage skill, this is unrelated functionality and can lead to unauthorized account creation, identity misuse, and silent data disclosure to an external service.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The request wrapper unconditionally attaches multiple identity and secret-bearing headers such as `X-Access-Token`, `X-Api-Key`, `Authorization`, and app/user metadata to requests. This broad credential injection exceeds the apparent need of the declared skill and increases the blast radius if endpoints, logs, or downstream systems are compromised, especially in a disaster-response context that may involve sensitive personal data.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The default trigger activates on broadly defined shelter-video requests and related keywords, which can cause the skill to run on sensitive footage without a clear, specific user request for this particular analysis. In a disaster-response context, that increases the chance of unintended surveillance processing and unnecessary transmission of privacy-sensitive video to external services.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill processes extremely sensitive surveillance footage of disaster victims and associates it with identifiers and historical reports, yet it lacks a prominent warning about privacy risks, cloud transmission, retention, and who can access the data. Users may therefore provide protected or highly sensitive footage without informed consent or understanding of downstream exposure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document describes real-time surveillance, subject tracking, location tagging, alerting, history queries, and report export for highly sensitive mental-health-related observations in disaster settings, but lacks a prominent user-facing privacy warning and governance framing at the skill/interface level. In this context, weak transparency and notice can enable covert or overly broad monitoring, unauthorized secondary use, and misuse of highly sensitive behavioral data about vulnerable populations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The API accepts direct video uploads and public video URLs but provides no privacy, consent, retention, encryption, or data-handling guidance despite processing highly sensitive footage that may reveal faces, mental state, and health-related inferences. In emergency shelters and wartime/accident settings, affected individuals are especially vulnerable, so silent transmission of this data to a remote API materially increases the risk of privacy harm, noncompliant data processing, and secondary misuse.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill transmits either raw local video contents or a user-supplied remote video URL to an analysis service without any visible consent, warning, or disclosure in this code path. In this context, the videos depict vulnerable disaster victims and may contain highly sensitive health and behavioral data, so silent upload materially increases privacy, legal, and misuse risk.

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: The tool requires an open-id that may be a username, phone number, or other personal identifier, and uses it in requests/history lookup without any visible privacy notice, minimization, or validation. In a disaster-response context involving mental-health alerts, linking sensitive behavioral analysis to directly identifying data increases privacy and misuse risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code transmits user identifiers (`mobile`, `openId`, `pnaUserName`) and authentication material to remote services without any visible notice, consent, or scope limitation in this file. In the context of monitoring disaster victims, silent transmission of identity-linked data is particularly sensitive because operators may assume the skill only performs local or narrowly scoped behavioral analysis.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal