Back to skill

Security audit

Regional Humanoid Detection Skill | 区域人形检测技能

Security checks across malware telemetry and agentic risk

Overview

The skill is a real human-detection workflow, but it silently uploads sensitive monitoring media to a remote service and manages persistent identity tokens with limited user control or disclosure.

Install only if you are comfortable sending monitoring footage or video URLs to the configured remote service and having the skill silently create or reuse a local identity, retrieve cloud report history, and persist account tokens in a workspace SQLite database. Use extra caution for workplace, restricted-area, or personally identifiable footage, and prefer an environment where token storage, report access, and retention can be reviewed or controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (28)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
82% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
82% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises no explicit permissions, yet the documentation clearly instructs use of local file handling, shell execution, network access, and local state persistence behaviors. This creates a transparency and governance gap: operators may approve the skill believing it is low-privilege while it can access local files, invoke scripts, contact remote services, and write state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is video-based human detection, but the skill also describes automatic identity initialization, fallback to a default local user, creation/reuse of accounts, and historical report retrieval tied to internal identity. Hidden identity provisioning and token/account persistence materially exceed the declared function and can expose user data, cross-session linkage, or unauthorized access to cloud-stored reports.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The API documentation is for pet health analysis while the skill metadata describes human detection for access monitoring. This mismatch can cause the agent or operators to invoke unrelated endpoints, expose unintended data flows, or connect the skill to the wrong backend service, which is especially risky because the documented endpoints include report export and historical result access. In a security review, capability/documentation mismatches are dangerous because they can mask hidden functionality or accidental cross-domain data access.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The CLI performs hidden identity resolution and supports listing prior analysis records, which goes beyond the advertised function of analyzing a user-supplied video. This creates a privacy and authorization risk because a user may unknowingly operate under an internal identity context and retrieve metadata or results not strictly tied to the current input.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
The script exposes a history-listing capability via `show_analyze_list(open_id)` that is not clearly necessary for the stated human-detection purpose. In a surveillance/personnel-monitoring context, historical analysis results may contain sensitive operational data, and exposing this functionality without clear authorization checks in this layer increases the risk of privacy leakage or unintended data access.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This file exposes generic CRUD helpers and arbitrary HTTP client methods that are not narrowly scoped to the stated human-detection purpose. In a skill intended for personnel detection, these wrappers can be reused to access or manipulate unrelated backend resources, expanding the attack surface and enabling unintended data exfiltration or control paths.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The add, edit, and delete methods provide direct remote resource modification capability through caller-supplied URLs and arguments, with no visible authorization, validation, or scope restriction in this layer. For a detection-oriented skill, this is unnecessarily powerful and could be abused to alter or delete arbitrary remote state if exposed through agent workflows.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The generic http_post/http_put/http_get/http_delete methods allow arbitrary outbound requests beyond the declared skill function of detecting personnel. Such unrestricted request capability can be repurposed for exfiltration, interaction with unauthorized services, or pivoting to internal/adjacent systems depending on runtime network access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file defines broad user-account storage and management functions, including lookup and mutation of user records, despite the skill being described as human/personnel detection. That scope mismatch increases risk because the skill gains unnecessary access to identity data and account lifecycle operations unrelated to vision detection.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores token and open_token values, which are sensitive authentication artifacts, yet the declared skill purpose is personnel detection rather than identity/session management. If this local database is exposed, tokens could enable account takeover or lateral access into other systems.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The implementation performs generic SQLite path handling, shared workspace database access, CRUD operations, and schema migration for user records, which is much broader than a human-detection feature requires. Such hidden capability expansion increases attack surface and may enable unintended persistence and cross-component data access.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This utility code automatically provisions accounts, retrieves tokens, and persists identity material, which is unrelated to a human-detection computer-vision skill. In this context, hidden identity bootstrap and token storage expands the skill's privileges and can enable unauthorized API access, account creation, or user tracking without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill reads identity-related values from workspace files and environment-derived workspace context even though its stated purpose is personnel detection. That mismatch makes the behavior suspicious because it accesses local identity material outside what is reasonably needed for image analysis, increasing the risk of silent credential use or cross-workspace identity leakage.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file implements a broad HTTP client, token handling, account bootstrap, and billing-related messaging that materially exceeds the declared scope of a human-detection skill. Such scope mismatch is dangerous because reviewers and users may authorize a vision feature while unknowingly granting a general networked identity-capable component access to their environment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The default trigger is broad enough to activate whenever a user provides a monitoring video needing analysis, without stronger confirmation that this specific skill is intended. Over-broad activation can cause unintended processing of sensitive surveillance footage and automatic transmission to external analysis services.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The history-query auto-trigger relies on generic phrases like viewing historical reports, which may be used in unrelated contexts. This increases the chance of unintended cloud API calls and disclosure of prior report metadata tied to an internally managed identity.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The skill mandates silent internal identity handling, forbids asking for identity parameters, and permits automatic reuse or creation of a default local user. In a security-monitoring context, this removes user awareness and consent around account association, making it easier to bind actions and report access to hidden local identity state.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tool accepts a network video URL and sends it to backend analysis without an explicit warning that the URL and potentially accessible media location will be disclosed to a remote service. In a surveillance context, this can leak sensitive camera endpoints, internal network locations, or monitoring targets, especially if users provide private or intranet URLs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code resolves the current OpenID internally without visible disclosure, meaning actions may be tied to an internal identity context the user did not explicitly provide or confirm. This can lead to privacy issues, confusing attribution, and unauthorized access to per-user history or backend resources under an unexpected identity.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code reads the entire local file and uploads it to a backend analysis service without any visible user-consent flow, warning, or minimization in this module. In a vision-analysis skill, this can lead to unintended transfer of sensitive video content, especially because personnel-monitoring footage may contain identifiable individuals and restricted-area imagery.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool accepts local video files or remote video URLs and sends them for analysis through `skill.get_output_analysis(...)`, but provides no explicit warning that footage may be transmitted to an external service. In a human-detection/surveillance context, videos can contain personally identifiable and sensitive location/activity data, making silent transmission a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads identity values from a local file and reuses or creates a default open-id without any visible user disclosure or opt-in. Silent handling of identity material can lead to unintended account linkage, tracking, or misuse of local credentials, especially in shared agent workspaces.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends identity-linked data such as openId, mobile/username, and source to a remote endpoint without any in-band disclosure in a skill whose purpose is human detection. This creates privacy and security risk because users may not expect their identifiers to be transmitted to external services as part of using a vision feature.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2