Back to skill

Security audit

Pet Eye Anomaly Detection (Redness / Tearing / Cataract) | 宠物眼睛异常识别(红肿/流泪/白内障)

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised pet-eye analysis, but it also silently creates or reuses remote identity state and stores authentication tokens for cloud history/report access.

Install only if you are comfortable sending pet images/videos or provided media URLs to the publisher's cloud service, linking reports to an automatically managed identity, and allowing the skill to store local user/token state for future history lookups. Ask the publisher for a clear retention, deletion, and credential-storage policy before using it with sensitive household footage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to read and write local files, invoke shell commands, access environment-derived identity state, and call networked APIs, but it declares no permissions or trust boundaries. This mismatch is dangerous because users and the platform may not realize that uploaded files, local defaults, and cloud endpoints are being accessed and persisted, increasing the chance of unintended data exposure or unsafe execution.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes a history-report listing capability keyed by open_id, which is outside the stated purpose of analyzing provided pet eye images or videos. Even though this wrapper passes only the current internal identity, the presence of a hidden historical access path increases the risk of unauthorized access to prior analyses and associated user data if upstream identity handling is weak or manipulated.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code initializes an internal user identity through a hidden open_id mechanism and then uses it to access report history, which is unrelated to the advertised eye-anomaly detection function. Hidden identity resolution and suppressed CLI parameters can enable covert data access patterns, make consent unclear, and create an opportunity for cross-user history exposure if identity derivation is flawed.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implementation behavior does not match the declared purpose: it is a generic video-analysis/history client that forwards a local path or URL to a backend via skill.get_output_analysis without any pet-eye-specific validation or constraints. This mismatch is dangerous because users may believe they are invoking a narrowly scoped medical-screening tool when the skill actually provides broader remote analysis capability, increasing the risk of undisclosed data handling and scope creep.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The history-listing capability exposes prior analysis records through skill.get_output_analysis_list(open_id=open_id), which is not necessary for the stated single-purpose eye anomaly detection flow. Extra data-access features increase attack surface and may enable unauthorized enumeration or disclosure of prior analyses if identity handling or authorization is weak elsewhere in the stack.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This file exposes generic CRUD wrappers and arbitrary HTTP verb helpers that are broader than the stated pet eye anomaly detection purpose. In a skill expected to perform image/video eye analysis, providing reusable remote request primitives increases the attack surface and enables unintended outbound actions, especially if higher-level code can pass attacker-controlled URLs or parameters.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file defines a generic sys_user persistence layer with personal attributes and token/open_token storage that are unrelated to the declared pet eye anomaly detection purpose. This expands the skill's data-handling scope and creates unnecessary collection and retention of identity and credential-like data, increasing privacy and abuse risk if the database is accessed or reused by other components.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The User model stores token and open_token fields alongside profile data, implementing credential-like state management not justified by pet image eye-health analysis. In this skill context, that mismatch is more suspicious because the manifest describes local visual anomaly detection, not user identity, authentication, or token lifecycle handling.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The utility code automatically provisions, retrieves, and persists remote user identities and access tokens, which is unrelated to the stated pet eye anomaly detection purpose. This creates hidden account-management and credential-handling behavior that can silently bind the skill to external services, expand the attack surface, and enable unauthorized or unexpected backend activity under a generated or reused identity.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code inspects environment-derived workspace paths and later uses workspace-local data files to derive identity context, behavior that is not necessary for local eye-image analysis. In this skill context, such environment and filesystem discovery increases concern because it reaches outside the declared feature set and may expose internal deployment structure or enable silent identity reuse across agents.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill can generate synthetic local users, persist them, and use them as fallback identities when no explicit open-id is supplied. That is unrelated to pet eye anomaly detection and is dangerous because it creates opaque identities that may be used for network actions, audit confusion, or unintended account creation without user awareness.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The default trigger activates whenever a user provides a close-up pet face image or video for analysis, which is broad enough to catch generic image-analysis requests that may not be intended for this skill. Over-broad auto-invocation can cause unintended processing of attachments and URLs, sending user content to local scripts or remote APIs without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill says attachments are automatically saved locally and that network URLs are processed by an API service, but it does not give a clear privacy notice about retention, transmission, third-party processing, or handling of historical reports. Users may unknowingly submit sensitive images, videos, and link targets to cloud services, creating avoidable privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill reads local files into memory and submits either the file contents or a user-supplied remote video URL to an external analysis service without any visible user warning, consent step, or disclosure in this code path. Because the content consists of pet close-up imagery/video, it may include sensitive household context or metadata, creating a privacy and data-handling risk if users are unaware their data is being transmitted off-device.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script includes a suppressed --api-key argument and supports network-backed analysis, but there is no visible disclosure to users that credentials may be supplied and media may be transmitted to an external service. Hidden credential and transmission paths are risky because they undermine informed consent, complicate auditing, and can facilitate covert exfiltration of sensitive pet-owner media or service secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads an internal identity value from data/smyx-api-key.txt without any visible user disclosure or consent mechanism. Even if intended for convenience, silently consuming a local identity source is risky because it can appropriate credentials or identifiers from the workspace and apply them to unrelated network activity.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The utility performs automatic remote login/registration via /sys/phoneLogin with silent/register flags, without any evident user-facing disclosure. In this skill context, this is especially problematic because a pet eye analysis tool should not unexpectedly create or log into remote accounts, making the behavior deceptive and privacy-impacting.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The generic request method automatically attaches identity fields and authentication headers, and may send pnaUserName, X-Access-Token, X-Api-Key, and Authorization to external endpoints without visible disclosure at the call site. This is dangerous because it normalizes silent credential propagation and data sharing, which is far outside the declared purpose of image-based eye anomaly detection.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
94% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 支持 jpg/png/mp4/avi/mov 格式,最大 10MB |
| 🔎 使用提醒 | **拍摄要求**:面部近景、光线充足、双眼清晰;模糊/逆光/眼睛闭合的图像无法得出可靠结果 |
| 🧑‍⚖️ 结果性质 | **识别结果仅供视觉参考,绝不替代专业兽医诊断**;任何疑似异常都建议就医确诊 |
| 🔎 使用提醒 | 部分品种眼部生理特征本身偏红或泪痕较重,需结合个体基线判断 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能用技能本身的脚本 |
| 🌐 网络地址 | 传入的网络地址参数,不需要下载本地,默认地址都是公网地址,API 服务会自动下载 |
Confidence
82% confidence
Finding

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: "smyx-eye-anomaly-detection-analysis"
description: "AI-powered pet eye anomaly detection from close-up facial images/video. Detects conjunctival redness, abnormal tearing/tear stains, and pupil/cornea opacity (cataract / corneal edema), then outputs anomaly alerts to help owners catch eye disease risks early. Scenarios: daily home health self-check, boarding center routine inspection, animal hospital triage, senior pet cataract monitoring. | 通过宠物摄像头捕捉宠物面部近景视频,利用AI视觉分析技术检测眼部充血(结膜颜色发红)、异常流泪(泪痕严重或持续性溢泪)、瞳孔区域浑浊(可能为白内障或角膜水肿)等异常征象,输出异常提示,帮助主人及早发现眼部疾病风险。适用于日常健康监测、老年宠物护理及宠物医院预检。应用场景:宠物家庭日常健康自检、宠物寄养中心巡检、宠物医院门诊初筛、老年宠物白内障监测。"
version: "1.0.5"
license: "MIT-0"
---
Confidence
72% confidence
Finding
description:; ‍

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2