Back to skill

Security audit

Kitchen Stove Left-On Detection | 老年人厨房忘关火识别

Security checks across malware telemetry and agentic risk

Overview

The skill does the advertised stove-video analysis, but it also silently creates or reuses a cloud identity and stores account tokens locally for home-video reports, so it needs careful review before installation.

Install only if you are comfortable sending kitchen video files or URLs to the configured LifeEmergence cloud services, keeping cloud report history, and allowing the skill to create/reuse a local identity with stored tokens. Ensure household consent before use, treat any valve-shutdown integration as requiring independent safeguards, and plan how to inspect, rotate, or delete the local workspace data if uninstalling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (25)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
71% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
70% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while its documented operation requires shell execution, network access, local file handling, and likely environment access. This is dangerous because it hides the real trust boundary from reviewers and users, making it easier to introduce data exfiltration, unsafe command execution, or unexpected local state changes without informed approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior extends far beyond stove monitoring into hidden identity creation, token acquisition from remote services, local SQLite persistence, and cloud report retrieval through a generic AI backend. That mismatch is dangerous because users may provide sensitive household video believing it is used only for a narrow safety function, while the implementation performs additional account, storage, and remote-processing actions that expand privacy and security risk.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
A skill presented as a real-time stove safety detector also includes history-report retrieval and report-link generation, which broadens data access beyond immediate monitoring. In a home surveillance context, that creates additional exposure of sensitive historical household activity and may enable unintended disclosure if report links are accessible or mishandled.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill mandates cloud API access for historical report queries even though that capability is not necessary for the narrowly described stove-left-on detection task. This increases the attack surface by introducing external data flows and remote dependency risks, especially given the sensitivity of household monitoring records.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The documentation describes silent identity initialization, reuse of local default users, and automatic creation of local user records unrelated to simple video safety analysis. Hidden identity binding is dangerous because it can associate private surveillance data with accounts without transparent user consent, and local persistent identifiers can be abused for tracking or cross-session data leakage.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill manifest describes analysis from a fixed kitchen camera, but the code also accepts arbitrary HTTP/HTTPS video URLs. This expands the trust boundary and can enable server-side fetching of attacker-controlled resources, unintended processing of off-scope content, and privacy/compliance issues if users or upstream agents assume only local fixed-camera input is allowed.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script exposes a history-listing mode via `--list` and `show_analyze_list(open_id)` that goes beyond the manifest’s stated purpose of real-time stove-left-on analysis. If a caller can invoke this mode or influence the resolved OpenID, it may disclose prior analysis records or surveillance-derived metadata unrelated to the advertised function, expanding privacy exposure and attack surface.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The script accepts arbitrary remote video URLs through `--url`, despite the skill being described as operating on a fixed kitchen camera feed. This broadens the input scope beyond the declared context and can enable analysis of unintended third-party content or abuse of backend fetching behavior, creating privacy, policy, and potential network exposure concerns.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file defines and persists a generic user-account data model, including identity and account-related fields, that is materially broader than the declared purpose of stove-left-on video detection. This indicates unnecessary data collection and retention, expanding the attack surface and the privacy impact of any compromise without a clear functional need in the stated skill context.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The model stores authentication tokens, open tokens, email, real name, birthday, and other personally identifying fields without any clear necessity for a kitchen safety-monitoring function. If the local SQLite database is accessed or copied, these sensitive credentials and PII could be exposed, enabling account compromise and significant privacy harm.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This code introduces identity bootstrapping behavior unrelated to a kitchen stove monitoring skill: it reads a workspace API-key file, reuses local database identities, and generates persistent default open-id values. That materially expands the skill's data-access and account-lifecycle scope beyond the declared safety function, creating hidden identity handling and persistence that could be abused for unauthorized account use or cross-skill tracking.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The HTTP helper performs authentication state management, remote login/registration, token reuse, token refresh-on-401, and local token persistence, none of which are justified by the manifest's narrow stove-detection purpose. This hidden capability enables silent outbound identity operations and persistent authenticated communication that substantially broadens the attack surface and trust assumptions of the skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code inspects environment variables, infers workspace layout, and creates generic data and skills directories for the current agent. While such behavior may be framework-related, it exceeds the stated stove-monitoring functionality and increases the skill's ability to discover and modify broader workspace state, which is risky in an overprivileged agent environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The helper silently calls a remote phoneLogin endpoint with register=1 and silent=1 to create or retrieve a user identity. For a stove-safety camera skill, undeclared remote account creation is highly out of scope and dangerous because it can transmit identifiers off-device and establish service-side identities without informed user action.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The default trigger activates on any kitchen stove-area video analysis request, which is broad enough to cause unintended execution. In a surveillance-related skill, overbroad triggering can result in accidental processing of sensitive household footage and unnecessary transmission or storage of private data.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The keyword trigger list includes broad safety and kitchen terms that may match ordinary discussion rather than a genuine request to run the skill. This can lead to unintended activation, especially problematic here because the skill can process private video and reach cloud services automatically.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill can recommend or interoperate with automatic gas-valve shutdown, a safety-critical physical action, without a strong warning about failure modes, false positives, or operational safeguards. In a real household environment, incorrect shutdown could disrupt cooking, affect dependent individuals, or create unsafe user responses to automation errors.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document specifies 24/7 kitchen video capture and API-key-based access for a system monitoring an elderly person's home, but it omits any privacy notice, data minimization guidance, retention limits, or sensitive-data handling requirements. In this context, the collected data is highly sensitive behavioral and in-home surveillance data, so missing privacy and protection requirements can lead to unauthorized exposure, overcollection, and insecure downstream integrations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code silently invokes `OpenIdUtil.resolve_current_open_id(args.open_id, use_current=bool(args.open_id))` while intentionally suppressing the `--open-id` argument from help output. In a surveillance-oriented kitchen monitoring skill that may push alerts to family or caregivers, hidden identity resolution can associate analysis activity with an internal user identity without clear disclosure, creating privacy and authorization risks if identity is inferred from ambient environment or prior session state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code reads local video files into memory and forwards them, or passes remote video URLs, to an analysis service without any visible disclosure, consent, or minimization control in this layer. For a kitchen-monitoring skill, that can expose sensitive in-home footage and household activity patterns to external services in ways users may not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The request path sends identity values, API keys, access tokens, and open tokens to remote services and may persist returned tokens locally, yet this code contains no visible notice, consent, or disclosure mechanism. In the context of a home-monitoring safety skill, hidden transmission of account-linked metadata is privacy-sensitive and undermines user expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function reads a workspace file named smyx-api-key.txt and reuses its contents as an internal identity value without any visible user acknowledgement. Accessing local credential material in a skill whose declared purpose is video-based stove detection is a scope mismatch and can expose or repurpose sensitive identifiers unexpectedly.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
97% confidence
Finding
requests.post(_url, json=

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2