Security audit

Baby Blanket Kick Monitoring Skill | 婴儿蹬被监测技能

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised baby video analysis, but it also sends sensitive nursery media to cloud services and silently creates, reuses, and stores account credentials.

Review this skill carefully before installing. It may upload infant sleep videos or URLs to an external cloud API, query cloud report history, create or reuse an internal user identity, and store service tokens locally. Install only if you accept those cloud-processing and account-persistence behaviors for sensitive nursery footage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (27)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 74% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 72% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises no explicit permissions, yet its instructions clearly require shell execution, local file handling, network access, and likely environment/config access. This mismatch weakens reviewability and consent because operators and policy systems cannot accurately assess what the skill will do before activation.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The implementation is a generic file/URL submission and report retrieval wrapper, not a narrowly scoped infant blanket-kick monitor. That capability mismatch materially expands what the skill can ingest and exfiltrate, increasing the chance of misuse for arbitrary media analysis and making the declared safety context unreliable.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Allowing arbitrary http/https URLs lets the backend analyze remote content outside the stated baby blanket monitoring purpose. In context, this broadens the trust boundary and may enable misuse of the service to fetch or process attacker-controlled external resources, with privacy and abuse implications.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The file implements a generic video-analysis wrapper plus history-listing functionality instead of logic narrowly scoped to infant blanket-kick monitoring. This mismatch is dangerous because it indicates the published skill purpose may conceal broader media-processing behavior, increasing the risk of unauthorized surveillance, over-collection of user video, or use of the skill as a generic analysis front end outside its declared safety context.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The ability to list historical analyses by open_id is not necessary for the stated real-time infant blanket alerting purpose and expands access to previously processed user data. If authorization around open_id is weak elsewhere, this feature could expose sensitive baby-monitoring history or become an enumeration point for cross-user data access.

Intent-Code Divergence

Medium

Confidence: 73% confidence
Finding: The function signature and docstring imply caller-controlled API endpoint, key, and output-level behavior, but the implementation ignores those parameters and delegates directly to an internal skill object. This discrepancy is dangerous because it obscures the true execution path, prevents callers from understanding where sensitive video is sent, and can hide hardcoded or implicit back-end processing that is broader than advertised.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file exposes a broad, reusable API client surface including list/add/edit/delete and arbitrary HTTP GET/POST/PUT/DELETE operations that are not scoped to the stated infant blanket-kick monitoring purpose. In a skill context, such generic network and CRUD primitives can be repurposed by other code paths to access or manipulate unrelated backend resources, increasing the attack surface and enabling capability abuse well beyond monitoring and alerting.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The http_post/http_put/http_get/http_delete methods accept caller-controlled URLs and arguments and directly forward them to the request utility, effectively providing arbitrary outbound network access. For an infant-monitoring skill, this is unjustified and dangerous because any upstream component that can call this service may use it to contact unintended internal or external services, exfiltrate data, or bypass expected application boundaries.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The add, edit, and delete helpers provide generic data-manipulation capability without any apparent domain restriction, object validation, or business-specific safeguards. In the context of a baby sleep monitoring skill, write and delete primitives exceed the expected minimal functionality and could be abused to alter or remove unrelated data if exposed through higher-level logic.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: This code reads environment-derived workspace paths, accesses a local API-key file, and creates or persists a default user identity unrelated to the stated infant blanket monitoring purpose. In a skill context, that expands access to local sensitive data and silently establishes identity state, which is dangerous because it enables unauthorized credential harvesting and persistent user tracking beyond user expectations.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The request helper performs remote phoneLogin/registration, token acquisition, and local token persistence, which goes far beyond blanket-kick detection. That behavior can silently create or reuse remote accounts and establish authenticated sessions without clear user action, creating account abuse, privacy, and unauthorized network activity risks.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The manifest describes a narrowly scoped infant monitoring skill, but this file implements a broad authenticated API client with token lifecycle management, user lookup, registration, retries, and billing-related responses. This mismatch is a strong indicator of overbroad capability and hidden behavior, making the skill materially more dangerous because users and reviewers would not expect networked identity and account management from this stated function.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The history-report auto-trigger phrases are broad enough to match common requests such as asking to view reports or lists, which can cause the skill to invoke cloud APIs outside a narrowly intended infant-monitoring context. In an agent setting, overbroad routing increases the chance of unintended data access or disclosure tied to the internally associated user account.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The default activation rule says the skill should trigger whenever a user provides infant sleep monitoring video for blanket-kick detection, but it does not define boundaries or exclusions. Ambiguous default activation can cause the agent to run analysis or transfer sensitive nursery footage to backend services when the user intent is uncertain or only loosely related.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill handles highly sensitive infant bedroom imagery and URLs, and the document states that remote API services may download or process those inputs, but it does not prominently warn about cloud transmission and retention implications. This creates a meaningful privacy and compliance risk because users may unknowingly send intimate in-home monitoring data to external systems.

Natural-Language Policy Violations

Low

Confidence: 84% confidence
Finding: The skill mandates silent internal identity handling and even automatic fallback user creation without user opt-in. That can bind sensitive infant-monitoring reports to an account unexpectedly, creating privacy, consent, and policy issues even if it is framed as an implementation detail.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code reads the entire local file and submits it for analysis without any visible notice, consent check, or minimization in this component. For a baby-monitoring skill, uploaded videos are likely sensitive household recordings, so silent transmission creates meaningful privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The User model stores token and open_token values directly in a local SQLite database with no evident encryption, hashing, access control, or lifecycle protections. If the database file is read by another local process, copied from the workspace, or included in backups/logs, these credentials could be reused for account or API compromise.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The file helper opens arbitrary paths for writing with no path validation, sandboxing, or user disclosure. If attacker-influenced input reaches this helper, it could overwrite local files, alter configuration, or plant data in unexpected locations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This helper transmits user and system-derived data over the network, including tokens, usernames, tenant and platform metadata, without any visible disclosure in the skill itself. In the context of a baby-monitoring skill, undisclosed outbound transmission is especially problematic because it collects and sends identity/account context unrelated to the stated safety function.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code derives a workspace path from an environment variable and reads a local API-key file without clear notice or consent. Accessing local credential material in a skill whose declared purpose is infant blanket monitoring is an unnecessary and privacy-sensitive capability that could expose secrets or facilitate impersonation.

External Transmission

Medium

Category: Data Exfiltration
Content: "source": ConstantEnum.DEFAULT__SKILL_HUB_NAME } try: _response = requests.post(_url, json=_data) if _response.status_code == 200: _response_json = _response.json() if _response_json and _response_json.get("success"):
Confidence: 90% confidence
Finding: requests.post(_url, json=

Unvalidated Output Injection

High

Category: Output Handling
Content: try: # 执行命令 # result = subprocess.run( # cmd, # capture_output=True, # text=True,
Confidence: 95% confidence
Finding: subprocess.run( # cmd, # capture_output

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal