Jf Open Pro Ai Pet Care

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed developer integration for JF Tech pet-care APIs, but it handles powerful account credentials and can change or delete remote pet-care data without strong safeguards.

Install only if you need a developer-facing, write-capable JF Tech pet-care integration. Use environment variables or a secret manager instead of TOOLS.md, do not commit tokens or app secrets, and require explicit human confirmation before running service switches, alert setting changes, or pet record deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill documentation describes use of shell commands and direct network/API access, yet no permissions are declared. This creates a transparency and governance gap: users or platforms cannot accurately assess that the skill can execute scripts and send authenticated requests to external services. In this context, the omission is meaningful because the skill handles device management and account-bound operations, so undeclared capabilities increase the risk of unexpected remote actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The public description frames the skill as passive pet-care monitoring and reporting, but the documented behavior includes active state-changing operations such as enabling/disabling service, modifying alert settings, and creating/updating/deleting pet records. This mismatch can mislead operators into granting trust or credentials for a monitoring feature when the skill can also perform administrative changes on devices and data. Because the actions affect real device configuration and pet profiles, the mismatch materially increases abuse potential.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The switch-setting path is broken because `set_switch` is defined without a `movecard` parameter, but `main()` calls it with `movecard=args.movecard`, and the function body also references `movecard` despite it not being in scope. This causes a runtime failure for the state-changing operation, creating a denial-of-service for the advertised functionality and increasing the risk of operators assuming a service toggle succeeded when it never executed.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The script's capabilities exceed the stated skill purpose: instead of only pet-care monitoring/reporting, it also administers remote pet face-sample records. This mismatch is dangerous because users or reviewers may grant trust and credentials based on the manifest while the code can perform broader state-changing actions against backend resources.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The delete_pet function can permanently remove remote pet records, which is a destructive capability not justified by the advertised monitoring/reporting use case. In a skill context, hidden destructive operations are especially risky because they can be triggered with trusted credentials and cause data loss or service disruption for the user.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The add_pet and update_pet paths create and modify remote pet profile/face-sample records, expanding the skill from passive monitoring into administrative data mutation. This broader capability increases the blast radius of misuse or compromise because pet identity data and associated images can be altered without the behavior being clearly disclosed by the manifest.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation explicitly recommends storing sensitive values such as app secrets, authorization tokens, user identifiers, and device serial numbers in TOOLS.md for local testing. Storing live credentials in a general project document risks accidental exposure through source control, logs, backups, or downstream tooling that reads workspace files. In this skill, those credentials can authorize API calls that access device data and change service state, so leakage could directly enable account or device compromise.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The delete action executes immediately once an ID is provided, with no confirmation, dry-run, or safeguard against accidental or coerced deletion. In a skill or automation context, lack of friction on destructive operations materially increases the likelihood of irreversible data loss from misuse, prompt injection in higher layers, or operator error.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal