Back to skill

Security audit

Body Size/Weight Estimation | 畜禽体长/体重估测

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its livestock analysis purpose, but it silently creates or reuses account identity, logs into a remote service, and persists tokens locally with limited user-facing disclosure.

Review this before installing if you are comfortable sending livestock media, URLs, report queries, tenant/platform metadata, and an internally resolved user identity to the LifeEmergence cloud service. Treat it as an account-linked cloud integration, not a local-only estimator, and avoid installing it in workspaces where shared data directories or stored tokens would be inappropriate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
77% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
75% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to execute local Python scripts, read/write local files, access environment-derived identity, and perform network/API calls, yet it declares no permissions or user-facing capability boundaries. This mismatch can cause the agent to perform sensitive actions implicitly, reducing transparency and weakening policy enforcement around filesystem, shell, and network use.

Intent-Code Divergence

Low
Confidence
71% confidence
Finding
The comment says user input is not required and hidden from help, but the code still accepts a caller-supplied open_id and passes it into identity resolution. If downstream logic trusts that identifier for access to reports or account-scoped data, an attacker may impersonate another user or retrieve another user's analysis history by supplying a chosen open_id.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes a history-listing function that retrieves prior analysis records via `skill.get_output_analysis_list(open_id=open_id)`, but this capability is not apparent from the stated skill purpose of estimating livestock size/weight from a provided video. Undisclosed access to historical, account-scoped data increases privacy and data-minimization risk, especially if users or calling systems do not expect the skill to enumerate prior results.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This file exposes generic CRUD wrappers and arbitrary HTTP methods that can be used to contact attacker-controlled or unrelated endpoints, which exceeds the narrowly stated livestock-estimation purpose. In an agent skill context, such generic network primitives expand the skill's capability surface and can enable data exfiltration, unauthorized remote actions, or misuse by other code paths even if this file itself does not show the caller.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The http_post/http_put/http_get/http_delete methods provide arbitrary outbound network access with caller-supplied URLs, which is a dangerous primitive in a skill that is supposed to analyze livestock imagery. Because the functionality is broad and not tied to the manifest purpose, it increases the risk of SSRF-like behavior, exfiltration, and unreviewed communication with external services.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file defines generic user-account persistence, lookup, and token-related handling that is not justified by the declared livestock body-size/weight estimation purpose. In a narrowly scoped computer-vision skill, unrelated identity/account infrastructure expands the attack surface and raises the chance of unnecessary collection or misuse of user data.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The User model stores identity and authentication-related data including username, realname, email, token, and open_token, which is difficult to justify for a livestock-analysis skill. Unnecessary storage of authentication material creates significant privacy and credential-handling risk, especially if tokens are stored in plaintext and the local SQLite database is accessible to other components in the workspace.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill contains broad agent workspace discovery and directory creation logic unrelated to livestock body-size/weight estimation. In context, this expands the skill's filesystem awareness and ability to locate shared workspace data, increasing the blast radius for unintended data access or cross-skill contamination.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This code generates, resolves, and persists user identities and tokens despite the manifest describing a livestock video analytics capability. That mismatch is dangerous because it silently introduces account lifecycle and credential-handling behavior that can create unauthorized identities, reuse local accounts, and persist sensitive authentication material.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The HTTP wrapper automatically performs login/registration side effects, loads tokens from local state, and injects platform/account metadata into every outbound request. For a livestock estimation skill, this hidden behavior materially increases privacy and account-risk exposure because requests can carry identity data and credentials to external services without clear user intent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill reads identity material from a workspace file and local user database, then uses it to determine the active open-id. In this context, that is unjustified and dangerous because it can silently appropriate internal identity values from the environment and reuse them for network operations or account binding.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can phone-login or auto-register users against an external health service using locally derived identifiers. This capability is far outside the expected scope of a livestock measurement skill and could create unauthorized accounts, link identities across systems, and transmit sensitive identifiers to a third party without clear notice.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that uploaded attachments or media files are automatically saved locally, but it does not warn the user about local persistence, storage location, retention, or cleanup. Automatic file writes can create privacy and security risks if sensitive media remains on disk or is accessible to other processes or users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requires direct cloud API queries for historical reports but does not clearly warn the user that request data and report metadata will be transmitted to a remote service. Silent remote transmission can expose potentially sensitive operational data and prevents informed consent about where data is processed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script resolves a hidden `--open-id` parameter and then uses `ConstantEnum.CURRENT__OPEN_ID` to fetch account-scoped history, while suppressing visibility of these controls from normal help output. Hidden identity/account handling reduces transparency and can enable unintended access to another user's analysis history if the identity resolution or upstream authorization is weak.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The analysis path sends user-provided local file paths or remote URLs into `skill.get_output_analysis(...)`, and the error handling explicitly anticipates outbound HTTP requests, indicating external service use without clear disclosure to the user at the point of collection. For a video-analysis skill, network processing may be expected, but failing to clearly disclose transfer of potentially sensitive farm footage or URLs creates a privacy and data-handling vulnerability.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code reads a sensitive identity/credential file from the workspace without any visible user-facing disclosure or consent mechanism. In an analytics skill, silent harvesting of local identity material increases privacy risk and makes downstream credential use difficult for users to detect or control.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The request path automatically transmits identity fields and authentication tokens to external services, but the code shows no explicit disclosure, consent, or user-controlled toggle. Hidden transmission is particularly risky here because the skill's declared purpose does not imply account-linked network activity.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
96% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2