Back to skill

Security audit

Livestock Fever Detection | 畜禽体温异常检测

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real cloud-based livestock image analysis tool, but it silently creates or reuses identities and stores account tokens locally in ways users should review before installing.

Install only if you are comfortable sending livestock images/videos and account-linked report queries to the provider's cloud service. Review the provider and storage model first: this skill can create or reuse an internal identity, read a workspace API-key file, keep tokens in a local SQLite database under the workspace data directory, and retrieve prior cloud reports tied to that identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
85% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
84% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while its documented behavior includes shell execution, file reads/writes, network access, and likely environment access. This creates a transparency and governance gap: operators and users cannot accurately assess what the skill can do, and the hidden capabilities materially increase the attack surface for data exfiltration, unsafe command execution, and unintended persistence.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is narrow medical-style image screening, but the skill behavior extends to backend account creation/login, token/open ID persistence, historical report retrieval, export-link generation, and generic remote AI processing. This mismatch is dangerous because it conceals identity handling and remote data flows that users would not reasonably expect, undermining informed consent and making abuse or overcollection harder to detect.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script exposes `show_analyze_list()` to retrieve historical analysis reports, which is outside the stated purpose of single-item fever detection from imagery. Because this capability is tied to an internal user identity, it expands the data-access surface and could enable unauthorized viewing of prior reports if invoked in contexts where users do not expect account-scoped history access.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code silently resolves and uses an internal `open_id` before performing actions, even though image-based fever detection does not inherently require identity binding. Hidden identity resolution increases privacy risk and creates an avenue for account-linked data access, especially when combined with the report-listing functionality.

Description-Behavior Mismatch

Medium
Confidence
77% confidence
Finding
The skill exposes report listing and export URL generation functionality beyond the manifest's stated detection purpose, increasing the accessible data surface. If upstream authorization is weak or absent, this can enable unintended access to prior analysis results and report artifacts, which may contain sensitive operational or health-related data.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file implements a generic user-account persistence layer inside a skill whose declared purpose is livestock fever detection. This scope mismatch increases risk because it introduces unnecessary identity and account-handling functionality that broadens the attack surface and may enable collection or retention of unrelated user data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores authentication-related tokens plus personal profile fields such as username, realname, email, birthday, age, and sex, which are unrelated to fever detection. Persisting this sensitive data in a local SQLite database without evident encryption, retention limits, or access controls creates substantial privacy and credential exposure risk if the workspace or database file is accessed.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This utility code performs broad agent workspace discovery and creates shared data/skills directories, functionality unrelated to livestock fever detection. In a skill context, unnecessary filesystem and workspace-management capability expands the attack surface and can enable unintended cross-skill or cross-agent persistence and file manipulation.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code resolves user identities, reads a workspace identity file, creates default users, and persists user records locally, which is far beyond the declared purpose of fever detection from imagery. Hidden identity bootstrapping and account lifecycle behavior in a vision-analysis skill is dangerous because it can silently appropriate local credentials or establish persistent remote-linked identities without clear user consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The HTTP wrapper includes external login/provisioning, token reuse, token persistence, account balance handling, and payment guidance logic that is unrelated to fever detection. This makes the skill capable of transmitting identity and tokens to external services and coupling core execution to hidden service-side account operations, increasing privacy, integrity, and abuse risks.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill reads an identity value from data/smyx-api-key.txt and, if absent, provisions a default user in a local database for later reuse. For an image-based livestock health skill, this is unjustified credential/identity handling that can silently bind execution to local secrets or create persistent identifiers without the user's knowledge.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code can derive agent workspace roots and create data and skills directories, including shared skills storage, despite no apparent need for these capabilities in a livestock temperature-analysis skill. Unnecessary install/storage control can be abused for persistence, pollution of other skill environments, or unauthorized file placement.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The history-report trigger phrases are broad enough that ordinary conversation about reports could automatically invoke cloud history retrieval. In a skill that associates requests with an internally managed identity and accesses remote records, ambiguous auto-triggering can expose prior reports without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Using the standalone phrase '历史报告' as an auto-trigger is too vague and can cause unintended retrieval of remotely stored report history. Because the skill is designed to auto-associate identity and query cloud records, accidental activation could disclose sensitive operational or health-screening data to someone who did not clearly request it.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script initializes internal identity handling without exposing this behavior in normal help text or warning the user. Hidden collection or use of identity context is dangerous because users cannot make an informed decision, and it can support undisclosed tracking or access to account-scoped records.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The CLI defines a hidden `--api-key` parameter and transmits analysis requests through backend skill methods without clear user-facing disclosure that credentials and potentially sensitive media may be sent to a remote service. In a livestock monitoring context, uploaded imagery or video can contain operationally sensitive farm data, so concealed credential/network handling undermines informed consent and can lead to unintended data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code reads a sensitive identity value from a workspace file without any visible disclosure, confirmation, or scope limitation. Silent use of local identity material is risky because users may not realize the skill is inheriting credentials or identifiers from the environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The request path sends user identifiers and authentication tokens in headers and request bodies to remote endpoints without any user-facing notice in this file. In the context of a livestock fever detection skill, undisclosed transmission of identity-linked metadata is disproportionate and creates privacy and account-security concerns.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
96% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2