Back to skill

Security audit

Child Dangerous Object Contact Detection | 儿童接触危险物品识别

Security checks across malware telemetry and agentic risk

Overview

This child-safety video skill sends sensitive child-monitoring media to a cloud service and silently manages local/remote identity tokens, so it should be reviewed carefully before installation.

Install only if you are comfortable with child-monitoring videos or URLs being processed by the publisher's cloud service, with cloud history being queried, and with the skill silently creating/reusing an identity and storing service tokens locally. Review the publisher and data-handling expectations first, especially consent, retention, deletion, and who can access generated report links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
80% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
80% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation instructs use of capabilities including shell, network, file read/write, and environment access, but declares no permissions. That mismatch prevents meaningful user or platform review and can hide sensitive operations such as local file handling, token storage, and remote API calls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill claims to provide camera-based child safety detection and immediate warnings, but the documented behavior includes account initialization, token/user storage, remote backend interactions, history listing, and report export link generation that are outside the stated purpose. This kind of purpose drift is dangerous because it can collect and retain sensitive household and child-related data under misleading expectations.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Automatic cloud historical report querying goes beyond the core stated function of real-time danger detection and alerting. In the context of child-monitoring footage, historical report access can expose sensitive behavioral records and images if invoked too broadly or without clear consent and scope checks.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Auto-creating or reusing a default local user identity for a child-safety analysis skill is not justified by the declared task and can silently bind reports and tokens to the wrong person. This creates privacy and access-control risks, especially because the data concerns minors, household surveillance, and historical records.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script initializes an internal identity via `OpenIdUtil.resolve_current_open_id(args.open_id, use_current=bool(args.open_id))` even though `--open-id` is hidden from normal help output. This creates a mismatch between the apparent user-facing behavior and the actual identity context used by backend operations, which can enable unintended access to per-user analysis data or make auditability and consent unclear.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The skill is described as a real-time dangerous-object detection tool, but it also exposes `show_analyze_list()` to retrieve historical analysis output by `open_id`. That broadens the data access surface from live processing to stored history, which is sensitive in a home/child monitoring context and may enable privacy violations if access controls are weak or identity handling is ambiguous.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file implements generic user-account persistence logic in a skill whose declared purpose is dangerous-object video analysis for child safety. This mismatch increases the risk of unnecessary data collection and privilege expansion, because identity/account storage is not clearly required for local hazard detection and alerting.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The User model stores identity and authentication-related data including username, realname, email, token, and open_token without any demonstrated need from the skill's stated purpose. In a child-safety camera context, collecting and persisting such data expands privacy and security exposure substantially, especially if tokens are stored in plaintext in a local SQLite database.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This utility code goes beyond the declared child-dangerous-object detection purpose by automatically resolving identities, loading API-key-derived identifiers, retrieving or minting backend users, and persisting tokens for future use. That creates hidden account and credential management behavior unrelated to local vision analysis, increasing the risk of unauthorized backend access, silent cross-skill identity reuse, and privacy-impacting data flows.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code performs a remote `phoneLogin` request with `register=1`, meaning it can silently create or log into backend accounts using a derived username/openId without user awareness. For a home child-safety video skill, covert account creation is unjustified and materially expands the system's privileges and external data exposure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Reading `data/smyx-api-key.txt` and repurposing its contents as an internal open-id creates silent identity coupling between workspace secrets and application identity state. This is risky because a local secret or credential artifact may be reused for a different purpose than intended, enabling account confusion, unintended impersonation, or privacy leakage across skills and services.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The default trigger is broad enough to activate on essentially any child-area video, even without explicit dangerous-object analysis intent. For a skill handling highly sensitive child-monitoring media, overbroad invocation increases the risk of unnecessary processing, transmission, and retention of private footage.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The automatic historical-report trigger list is broad and lacks scope limits, so casual queries may cause retrieval of sensitive prior child-safety records. In this context, even metadata about past incidents can be privacy-sensitive and should not be fetched implicitly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly requires 24/7 camera capture in private home spaces involving children and describes snapshot sharing and alert delivery, but it provides no privacy, consent, retention, access-control, or data-handling safeguards. In this context, the omission is security-relevant because the API processes highly sensitive household and child-monitoring data, increasing the risk of surveillance abuse, unauthorized disclosure, and regulatory noncompliance.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The document states that API Key authentication is used but gives no guidance on secure generation, storage, rotation, scope limitation, or transmission of the credential. Because this API handles sensitive child-monitoring events and snapshot URLs, weak credential handling could enable unauthorized access to live analysis results, historical alerts, or exported reports.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill reads arbitrary local file contents or forwards a user-supplied video URL to the analysis backend without any visible consent prompt, provenance restriction, or warning in this code path. In a home-child-monitoring context, uploaded videos are highly sensitive and may contain children, interiors, and behavioral data, so silent transmission creates meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script accepts a hidden --api-key argument while suppressing it from help output, which can cause users or calling systems to provide credentials without clear disclosure of how they will be used. Hidden credential parameters reduce transparency and increase the risk of accidental secret exposure through shell history, process listings, logs, or unsafe downstream handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The analysis function forwards a local file path or remote URL to skill.get_output_analysis, which appears to invoke an external analysis service, yet the CLI gives no explicit notice that user-supplied video data may leave the device. In this skill's context, the data is especially sensitive because it concerns in-home child monitoring footage, so undisclosed transmission can expose highly private household and child safety information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This request path transmits usernames, open IDs, tokens, tenant metadata, and skill metadata to remote endpoints, but the code shows no user-facing notice, consent, or minimization controls. In the context of a child-monitoring camera skill, undisclosed backend transmission is especially sensitive because it can link household surveillance behavior to persistent identities.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The code reads an internal identity value from a workspace file with no visible warning, user prompt, or provenance check. While lower impact than the network behaviors, this hidden identity sourcing contributes to opaque account linkage and makes later remote use of that identity difficult for users or operators to detect.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
94% confidence
Finding
requests.post(_url, json=

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2