Back to skill

Security audit

Driver Blink-Rate & Eye-Closure Fatigue Detection | 驾驶员眨眼频率与闭眼时长检测

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised driver-video analysis, but it also silently manages user identity, stores tokens, uploads sensitive video to cloud APIs, and queries cloud history, so it should be reviewed before installation.

Install only if you are comfortable sending driver face/video data and identity-linked report history to the LifeEmergence cloud service. Confirm that drivers or employees have consented, understand where tokens and reports are stored, and prefer a deployment policy that limits history lookup and deletes local workspace data when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (30)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
78% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
76% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The manifest exposes powerful capabilities through documented shell execution, network access, local file read/write, and environment use, yet declares no permissions or guardrails. This creates a trust gap where operators may approve the skill as low-risk while it can access local data, invoke scripts, and communicate with remote services, increasing the chance of data exfiltration or unsafe execution paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a real-time fatigue-detection tool, but its documented behavior includes identity creation/reuse, token handling, local persistence, remote authentication, and historical record retrieval. This mismatch can mislead reviewers and users about the true data flows and security exposure, especially because biometric-adjacent driver video is tied to persistent identities and cloud-side reporting.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
A skill advertised as real-time in-cabin fatigue detection also includes cloud-based historical report querying and report-link retrieval, which materially expands its function from local analysis to remote data access. That broader scope increases privacy risk and the chance of unauthorized access to prior reports if identity binding or authorization is weak.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill exposes a history-listing function keyed by open_id even though the stated purpose is real-time driver blink/fatigue analysis. Expanding from transient analysis into record retrieval increases privacy risk and can enable unauthorized access to prior analysis results if identity binding or authorization is weak elsewhere in the stack.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code initializes and uses an internal user identity to fetch records, but that identity handling is not justified by the declared fatigue-detection functionality. In a driver-monitoring context, this can expose sensitive behavioral telemetry and analysis history, making unjustified identity linkage more dangerous from a privacy and access-control perspective.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill accepts arbitrary http/https URLs and forwards them to the backend analysis service, which expands the data source beyond the manifest's stated in-cabin DMS camera use case. This creates a scope-creep and potential abuse issue: users can cause the service to fetch/process third-party remote content, possibly violating product boundaries, privacy expectations, or enabling backend misuse depending on how the downstream service handles URLs.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill constructs and returns report export links and, elsewhere in the file, supports report listing, which goes beyond the stated fatigue-detection analysis purpose. Exposing reporting/history capabilities without clear manifest disclosure can leak analysis metadata or artifacts to callers who only expected single-use detection behavior.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Accepting arbitrary remote video URLs broadens the skill beyond the stated in-cabin fatigue-detection purpose and can cause the backend service to fetch and process attacker-controlled resources. If the downstream service retrieves the URL server-side, this can become an SSRF-style data exposure or unintended network access risk, especially because the code imposes no allowlist or purpose restriction.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This module exposes generic add/edit/delete and arbitrary http_get/http_post/http_put/http_delete wrappers that are not constrained to the stated blink/fatigue-detection purpose. In a skill intended for in-cabin fatigue analysis, broad network client and CRUD capabilities expand the attack surface and enable misuse for unrelated data access or backend actions if other components can influence the URL or request parameters.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The get_user_by_username capability is unrelated to driver blink or fatigue analysis and introduces access to identity or account lookup functionality beyond the declared scope. Even if intended for convenience, this violates least privilege and can support user enumeration or unintended access paths when composed with other skill features.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file implements generic user-account persistence, including user lookup and updates, despite the skill being described as driver blink/fatigue detection. That mismatch indicates unnecessary identity-handling capability and expands the attack surface with account-related logic unrelated to the stated function.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores identity and authentication-related fields such as username, realname, email, token, and open_token, which are unjustified for a blink-fatigue detection feature. Collecting and persisting this data creates privacy and credential exposure risk, especially because local SQLite storage here shows no encryption, minimization, retention control, or clear consent boundary.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file contains identity resolution, local secret sourcing, default user creation, and account-context management that are unrelated to blink/fatigue analysis. In this skill context, that mismatch is dangerous because it expands capability into user/account handling without a clear need, increasing the chance of unauthorized identity use and covert platform interaction.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The HTTP wrapper does far more than generic transport: it injects platform metadata, restores and stores tokens, retries authorization, auto-registers users, and handles balance/payment flows. For a driver-fatigue detection skill, this is unjustified hidden functionality that can transmit identity and account data to backend services beyond the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Reading a workspace file containing an API key or identity value and using it to establish user context is a sensitive-data handling behavior unrelated to the manifest. In a camera-based safety skill, hidden identity bootstrapping is especially concerning because users would not expect local secret harvesting for backend account context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The request path can silently invoke a phoneLogin/register flow to create or recover backend users using a generated or discovered identifier. This creates an undisclosed account lifecycle capability that is far outside the expected function of a blink/fatigue analysis skill and could be abused to create identities or bind user context without consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code enumerates agent workspace layout, discovers installation roots, and creates data/skills directories. In isolation this is not always harmful, but in this skill it represents unrelated environmental awareness and filesystem capability that broadens what the package can do beyond fatigue detection.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The default trigger is broad enough to activate on any uploaded driver video needing analysis, which can cause the skill to run on sensitive media without sufficiently specific intent. In a privacy-sensitive domain involving driver facial video, over-triggering increases the risk of unnecessary processing, unintended uploads, and accidental data retention.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The keyword trigger list is broad and includes terms that may match general safety or monitoring discussions, potentially invoking analysis or cloud history lookup without clear, informed user intent. Because the skill also handles historical reports and identity-linked cloud data, ambiguous auto-triggering can expose prior records or process sensitive content unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill silently resolves internal identity without clear user disclosure, which creates a transparency and privacy issue. Hidden identity resolution is especially risky here because driver fatigue outputs may reveal sensitive safety-related behavioral data and could be used to correlate or retrieve records without informed user awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code reads the entire local file into memory and submits it to the analysis service, but this file does not provide any user-facing notice that local video contents will be uploaded off-device. For a driver-monitoring context, those videos are highly sensitive biometric/behavioral data, so silent transmission materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script accepts a hidden --api-key parameter while suppressing it from help output, which reduces transparency around credential handling and can encourage insecure usage patterns. Hidden credential inputs are dangerous because users and reviewers may not realize secrets are being passed through the CLI, where they can be exposed via shell history, process listings, logs, or wrapper tooling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends local or remote video content to an external analysis service via skill.get_output_analysis without providing a clear user-facing warning about data transmission. In this skill context, the videos may contain highly sensitive in-cabin footage of drivers, so silent transfer to a remote service creates meaningful privacy and compliance risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2