Back to skill

Security audit

Estrus/Mating Behavior Detection | 畜禽发情/配种行为识别

Security checks across malware telemetry and agentic risk

Overview

This cloud livestock video-analysis skill is mostly coherent, but it should be reviewed because it silently creates or reuses identity state, stores authentication tokens locally, and can query cloud report history with limited user control.

Install only if you are comfortable sending barn videos or supplied URLs to the vendor's cloud service and allowing the skill to create or reuse a persistent local identity. Review or isolate the workspace data directory, especially smyx-common-claw.db and smyx-api-key.txt, and avoid using this skill with sensitive footage or internal/private URLs unless the publisher clarifies retention, token storage, and history-access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (31)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
80% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
80% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises significant capabilities—shell execution, file read/write, network access, and environment usage—without declaring permissions or clearly scoping them. This weakens reviewability and consent boundaries, making it easier for the skill to perform sensitive actions such as local persistence, remote API calls, or command execution beyond what users expect from a video-analysis skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is narrow, but the behavior described is materially broader: it creates or reuses identities, persists them locally, authenticates to remote services, lists historical reports, and generates report links. This mismatch is dangerous because users and reviewers may authorize a livestock-video analysis skill without realizing it also manages identity state and accesses cloud account data.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest frames the skill as a detector for estrus behavior from videos, but the body also describes cloud-based historical report retrieval and report-link generation. This creates a scope deception issue: the skill can access or expose prior user data flows that are not obvious from the top-level description.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Automatic historical report querying is broader than the core purpose of analyzing an uploaded estrus video and can expose prior analysis metadata and report URLs. Because it is triggerable by keywords and mandated to call a cloud API, it increases the risk of unintended data access and overcollection.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatic internal identity initialization, reuse, and creation is not necessary for local video inference and expands the skill into account lifecycle management. Silent identity persistence can create hidden state, increase privacy risk, and make cross-session tracking possible without meaningful user awareness.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script performs hidden identity resolution via OpenIdUtil.resolve_current_open_id and exposes a history-listing mode tied to an internal open_id, even though these capabilities are suppressed from normal help output and are not justified by the stated analysis purpose. Hidden account-context selection and report retrieval can enable unauthorized access to prior analysis records or cross-user data exposure if downstream controls are weak or misconfigured.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill accepts arbitrary HTTP(S) video URLs and forwards them to the backend analysis API, which expands the attack surface beyond local file analysis. This can enable server-side fetching of attacker-controlled resources, creating SSRF-style risk, unexpected data exfiltration paths, or abuse of backend network access if the downstream service dereferences the URL.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill exposes report/history listing functionality unrelated to the stated estrus-video analysis task, increasing the chance of unauthorized access to prior analysis metadata or outputs. If access control is weak in the underlying API, this method can facilitate cross-user data discovery and bulk retrieval of sensitive report information.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The function exposes account-scoped history retrieval via `skill.get_output_analysis_list(open_id=open_id)`, which is outside the manifest’s stated purpose of analyzing a supplied barn video and returning an estrus result. This kind of hidden secondary capability increases data exposure risk because it may reveal prior analyses or user-associated records without being clearly disclosed or constrained by the advertised functionality.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Importing and using OpenID-based account context for a narrowly scoped video-analysis skill suggests the skill is tied to user identity and potentially account data beyond what is necessary for single-file estrus inference. Even if not directly exploitable in this file alone, the unnecessary identity coupling expands the attack surface and can enable unauthorized access patterns when combined with hidden account-based features like history listing.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The CLI includes a `--list` mode that retrieves historical analysis records for the current OpenID account, which is a materially different capability from analyzing an input video. In this context, the mismatch between manifest and behavior is more dangerous because livestock video analysis does not inherently require account-history enumeration, so users and reviewers may not expect or scrutinize access to stored records.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This file implements a generic API client with broad CRUD methods, arbitrary HTTP verbs, and user lookup functionality that are not constrained to estrus-behavior analysis. In an agent skill context, this expands the attack surface and can enable unintended remote actions, data access, or repurposing of the skill as a general network-capable tool if higher-level controls are weak or bypassed.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The advertised skill purpose is narrowly domain-specific, but the implementation exposes generic remote API and user-enumeration capabilities unrelated to livestock estrus recognition. This mismatch is risky because it can hide non-obvious capabilities from reviewers and users, making misuse, privilege creep, and covert data operations more likely.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements generic user-account persistence, including username matching and default-user selection, which is unrelated to estrus video analysis. In an agent skill, hidden identity-management code expands the data-handling surface beyond the declared purpose and can facilitate covert collection, reuse, or correlation of user identities across tasks. The mismatch between advertised functionality and actual behavior is itself a serious trust and security concern.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The User model stores identity and authentication-related fields such as username, realname, email, token, and open_token, none of which are needed for livestock estrus detection. Retaining and updating this data inside an unrelated skill creates unnecessary sensitive-data exposure and increases the consequences of compromise, especially when combined with a shared database design.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The docstring describes a local lightweight database wrapper, but the implementation forcibly redirects all database paths into a workspace-wide shared data directory. That discrepancy can mislead reviewers and operators about data isolation, causing them to underestimate cross-skill data sharing and the resulting confidentiality risks. In this context, centralizing user records and tokens across skills is materially more dangerous than a truly local per-skill store.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This utility file goes far beyond estrus-video analysis and implements identity resolution, local user persistence, token handling, account provisioning, and authenticated remote API access. That creates a broad hidden capability surface: a skill that appears domain-specific can silently establish accounts, retrieve credentials, and send data off-box, which is risky in agent environments where users expect least-privilege behavior.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code reads identity material from workspace data files and, if absent, automatically creates and persists a default user identity in local storage. In this skill context, that behavior is unrelated to livestock estrus detection and can silently bind activity to a persistent identifier, enabling tracking, unintended account creation, and later authenticated actions without informed user approval.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The RequestUtil class exposes a generic remote request primitive supporting multiple HTTP verbs, arbitrary URLs/paths, auth header injection, retries, and token refresh behavior. In a narrowly described estrus-analysis skill, this is an unnecessarily powerful exfiltration and remote-action mechanism that can be reused by other code paths to transmit user data or invoke unrelated backend operations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The history-report trigger uses broad natural-language phrases that may activate report retrieval even when the user did not intend to access historical cloud data. In a skill that also manages identity and report links, unintended activation can lead to privacy-invasive data exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs automatic saving of uploaded files to local storage without prominently warning the user or explaining retention. Silent local persistence of user-provided media creates unnecessary privacy and security risk, especially for sensitive operational footage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends either full local file contents or user-supplied remote video URLs to an external analysis service without any visible user-facing notice, confirmation, or data-handling disclosure in this file. For barn videos, this may expose proprietary farm operations or incidental personal data, making silent transfer a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The debug log prints the full prompt content, which may contain sensitive user data, operational details, or proprietary input. If debug logging is enabled in production or logs are centrally collected, this can expose confidential information to unauthorized readers and expand the blast radius of any upstream prompt injection or data handling issue.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2