Back to skill

Security audit

Livestock Counting | 养殖场盘点计数

Security checks across malware telemetry and agentic risk

Overview

The skill performs cloud livestock counting, but it silently uses account identity, stores tokens locally, and retrieves report history with limited user control.

Install only if you are comfortable sending barn images/videos or supplied media URLs to the vendor cloud service and allowing the skill to maintain a local account identity. Review how the service handles uploaded media, generated reports, local SQLite token storage, and historical report access before using it with sensitive farm, employee, or facility footage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
76% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
76% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to use shell, network, file read/write, and likely environment-backed identity handling, but the manifest declares no permissions. This creates a capability/expectation mismatch that can bypass user or platform scrutiny and makes the skill harder to sandbox correctly.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exposes a history-listing mode that retrieves prior analysis reports by internal user identity, which exceeds the advertised function of counting livestock from supplied media. Because identity resolution is hidden and the feature is not clearly disclosed, it creates a risk of unauthorized access to historical data or metadata tied to a user account.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill accepts arbitrary HTTP/HTTPS URLs and forwards them for backend analysis without restricting domains, validating content type, or documenting the network fetch behavior. This expands the trust boundary beyond local camera media and can enable unintended external resource access, privacy issues, or backend abuse if attackers supply malicious or internal-facing URLs.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The output includes a report export link derived from a result ID, and the skill also exposes report-listing behavior beyond a simple livestock headcount response. That broadens the capability surface to retrieval of prior analysis artifacts, which may leak historical report data or images if authorization is weak elsewhere in the stack.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This file exposes generic add/edit/delete and arbitrary http_get/http_post/http_put/http_delete wrappers that can be used to reach unrelated backend endpoints, far beyond the stated livestock-counting purpose. In an agent skill context, broad network-capable helpers increase the attack surface for data exfiltration, unauthorized state changes, or repurposing the skill as a general API client if other parts of the skill can influence the URL or payload.

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The get_user_by_username helper introduces user-account lookup functionality that is unrelated to image-based livestock counting and suggests access to broader platform capabilities. Even if not directly exploitable here, such capability can enable user enumeration or exposure of internal account metadata when combined with agent-controlled inputs or downstream misuse.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This file defines generic user-account storage and lookup logic, including username/realname matching and default-user selection, which is unrelated to a livestock-counting skill's stated purpose. Such hidden identity-management functionality increases the attack surface and creates a risk of covert collection or persistence of user data beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code creates and mutates a local SQLite database and forcibly redirects paths into a shared workspace data directory, behavior not reflected in the livestock-counting description. Undisclosed persistent storage can retain sensitive operational data, surprise users, and enable cross-component data exposure within the agent workspace.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The User model stores token and open_token fields even though authentication-token handling is not justified by a livestock-counting workflow. Persisting authentication-like secrets in a local SQLite database materially increases the risk of credential theft, replay, or lateral misuse if the workspace is accessed by other components or users.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This utility module performs authenticated remote login/registration and general API request handling that is unrelated to livestock counting. In the context of an image-counting skill, silently creating accounts, obtaining tokens, and transmitting identity-linked data materially expands the attack surface and can enable covert external communications or unauthorized account activity.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code reads identity from workspace files, falls back to local database records, and persists a generated default open-id without a clear need for counting livestock in local media. This creates unnecessary identity statefulness and risk of cross-task tracking or reuse of credentials across unrelated operations.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The workspace discovery logic enumerates agent workspace structure and creates shared data/skills directories, behavior that is broader than needed for simple livestock counting. In a skill context, this increases filesystem reach and creates opportunities for unintended access to shared agent state or persistence locations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The history-report trigger phrases are broad enough that ordinary user requests like asking about past reports could automatically invoke a cloud query. That can cause unintended data access or disclosure, especially because the skill says the query must run directly against the cloud API without additional confirmation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill says uploaded attachments are automatically saved as local files, but does not present that behavior as a clear user-facing warning or consent point. This can surprise users and increase privacy risk, particularly for sensitive farm imagery or videos that may persist on disk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code initializes an internal user identity via `OpenIdUtil.resolve_current_open_id` without clear disclosure to the user and without requiring explicit consent in the normal workflow. Hidden identity binding is dangerous because it can silently associate actions and accessible data with an internal account context, enabling privacy violations or unintended access to account-scoped resources such as analysis history.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code reads the entire local file and uploads its contents to an analysis service without any user-facing notice, consent step, or visible indication in this component. For camera footage and barn imagery, this can expose sensitive operational or personal data and creates a privacy/compliance risk if users assume processing is local.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The hidden `--api-key` parameter and remote-analysis workflow obscure the fact that user-supplied local paths or URLs may be processed by a backend service. In a media-analysis skill, this raises privacy and data-handling risks because users may unknowingly transmit sensitive barn, facility, or operational footage to an external system without clear disclosure or consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently reads a sensitive identity value from data/smyx-api-key.txt and uses it as an internal open-id source without user-facing notice. That behavior can appropriate existing workspace credentials or identifiers for network actions unrelated to the user's immediate livestock-counting request.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The utility automatically issues network login/registration requests with user-identifying fields and no user disclosure. In a livestock-counting skill, hidden account enrollment and authentication are unexpected and undermine informed consent and data minimization.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
98% confidence
Finding
requests.post(_url, json=

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2