中医面诊分析工具

Security checks across malware telemetry and agentic risk

Overview

This facial diagnosis skill is not clearly malicious, but it sends sensitive face and health-related data to a cloud service while using account identifiers, history lookup, and local token storage that are not clearly scoped for users.

Install only if you are comfortable sending facial videos, public video URLs, identifiers such as username/phone/open-id, and derived health-style reports to the configured LifeEmergence/Open API services. Treat outputs and saved reports as sensitive, avoid third-party faces without consent, and review or disable the silent account/token storage and broad auto-trigger/history behavior before use in a shared or regulated environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (27)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 79% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 78% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill requires reading local/workspace configuration files to obtain an open-id/api-key-like value before performing facial analysis, even though that data is not inherently necessary to interpret a user-provided video. Pulling identifiers from unrelated config files expands data access and risks credential or identifier misuse, especially because the value is then used in downstream API calls and report retrieval.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill manifest describes a video facial diagnosis capability, but this API wrapper also exposes generic record-management functions such as page/list/add/edit/delete. That broader control surface is not justified by the stated purpose and can enable unintended backend interactions or data manipulation if the skill is invoked beyond its advertised scope.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The add/edit/delete methods operate on backend records, and delete specifically targets a cameraSn resource, which is unrelated to merely uploading a video for facial diagnosis. This creates an unjustified capability to create, modify, or remove resources on the server, increasing the risk of unauthorized tampering, service disruption, or destruction of operational data.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script exposes a history-listing capability via `show_analyze_list()` and the `--list` CLI flag, but the manifest describes only local/URL video submission for analysis. This creates an undocumented data-access surface that could reveal prior users' analysis records or metadata, especially since the function ignores its `open_id` parameter and relies on global state instead of enforcing per-user authorization.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: This file exposes broad generic HTTP and CRUD wrappers (`add`, `edit`, `delete`, `http_get`, `http_post`, `http_put`, `http_delete`) that are not constrained to the declared face-analysis purpose. In a skill that claims to upload videos for facial diagnosis, these helpers create an unnecessary capability surface that could be reused by other skill code to access or modify unrelated backend resources, increasing the chance of SSRF-like outbound access, unauthorized API use, or hidden side effects.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The presence of resource-modification helpers, especially `delete`, is not justified by the skill's stated purpose of face diagnosis and materially expands the actions available to the skill. Even if not invoked here, exposing mutation and deletion primitives makes it easier for other components to perform unintended destructive operations against backend APIs, which is especially risky in an agent-integrated environment where capabilities should be minimized.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: This file implements generic local persistence for user records, including account lookup, update, deletion, and counting, which is broader than the stated face-analysis purpose. In a skill that should primarily process videos for diagnosis, hidden account-database capabilities expand the attack surface and create unjustified retention of user-related data.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The User model stores identity and authentication-related fields such as username, email, token, and open_token in a local SQLite database. For a face-analysis skill, this is unusually sensitive and increases the risk of credential/token leakage, unauthorized retention, and misuse if the workspace or database file is accessed by other components or users.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The file for a face-analysis skill introduces an unrelated `ai_chat` capability that attempts to invoke an external agent CLI (`openclaw agent`). This expands the skill's privilege and behavior beyond its stated purpose, increasing attack surface and creating a path for arbitrary prompt forwarding or unintended agent execution if the commented subprocess code is later enabled.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The generic request wrapper does substantially more than issue API calls for face analysis: it attempts backend login/registration, persists tokens, retries auth, and injects payment-onboarding behavior. In the context of a face-analysis skill, this is dangerous hidden functionality because it broadens the skill's authority and can create accounts or steer users into unrelated flows without clear consent or need.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code can silently create or log in a backend user by calling /sys/phoneLogin with register=1 and user-derived identifiers, then stores returned tokens for later use. That is an undeclared account-provisioning behavior unrelated to the stated purpose of uploading videos for facial diagnosis, and it risks unauthorized account creation, identity misuse, and persistent credential handling without informed consent.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: When a 402 response occurs, the code returns instructions to install and use a separate payment skill, which is unrelated to facial diagnosis. Embedding cross-skill monetization guidance in a low-level request utility creates hidden product steering and expands the operational scope beyond what users expect from this skill.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README instructs users to upload local facial videos or provide remote video URLs to a server-side API, but it does not clearly warn that highly sensitive biometric and health-related data will be transmitted off-device. Because facial imagery and diagnostic inferences are privacy-sensitive, users may unknowingly expose personal data to third-party infrastructure or untrusted deployments.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The README advertises automatic saving of analysis results to disk without clearly warning that output files may contain sensitive health assessments or facial-analysis metadata. On shared systems or poorly secured environments, silently writing such results to local storage can increase the risk of unintended disclosure.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger logic is overly broad: it defaults to activating on many generic video-analysis requests unless the user mentions certain unrelated terms. In practice this can cause accidental routing of videos to a server-side facial-diagnosis API without clear user intent, increasing privacy risk and making unauthorized processing of biometric/health-adjacent data more likely.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The auto-trigger keywords for historical report queries are common phrases such as viewing reports or lists, which can easily collide with ordinary requests. Because those triggers force cloud-side history retrieval tied to an open-id, they may expose sensitive prior diagnostic records when the user did not clearly intend a medical-history lookup.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill describes uploading local videos or passing remote video URLs to a server-side API for facial diagnosis but does not clearly warn that potentially sensitive biometric and health-related data will leave the local environment. For a facial-analysis skill, that omission is especially dangerous because users may reasonably expect local processing or may not appreciate the privacy implications of remote inference and storage.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill asks for an open-id, username, or phone number to save and query historical reports, but it does not clearly disclose that these identifiers link analysis results to an account-like history. This weakens informed consent and can lead users to provide personal identifiers without understanding the persistence and retrieval implications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The API documentation explicitly supports uploading face videos or providing public video URLs for facial diagnosis, which involves highly sensitive biometric and health-related data. The absence of any warning, consent guidance, retention policy, or handling requirements increases the risk that integrators will collect and transmit such data without adequate notice or safeguards, leading to privacy violations and regulatory exposure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code reads an arbitrary local file into memory and uploads its full contents to a server-side analysis API whenever the input is not an HTTP(S) URL. While this is part of the skill’s intended functionality, there is no user-facing consent, warning, or data-sensitivity check in this code path, which creates a privacy and data-exfiltration risk if users supply the wrong path, are misled by higher-level tooling, or do not realize the file leaves the local environment.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The DAO performs an automatic ALTER TABLE on initialization and also exposes hard-delete functionality, yet this behavior is not surfaced to users of the skill. In a broader skill ecosystem, silent schema mutation and deletion can lead to data loss, unpredictable state changes, and abuse if these operations are reachable through higher-level flows.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The method logs the full user-supplied `prompt` in debug output, which can expose sensitive user data, secrets, URLs, or diagnostic content to logs and monitoring systems. In a face-analysis context, prompts may contain personal or health-related information, making this leakage more sensitive than ordinary application logging.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The request helper sends request bodies and authentication headers to remote services and logs request metadata, but this file contains no user-facing notice or consent gate for those transmissions. In a face-analysis skill handling potentially sensitive media and associated identity context, undisclosed outbound transmission increases privacy and compliance risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal