Security audit

Cat & Dog Health Diagnostic Analysis Tool | 猫狗宠物健康诊断分析工具

Security checks across malware telemetry and agentic risk

Overview

This pet-analysis skill mostly matches its stated cloud-analysis purpose, but it silently creates or reuses identities, stores auth tokens locally, and can query cloud report history with under-scoped identity controls.

Install only if you are comfortable with pet videos or URLs being sent to the Life Emergence backend, with the skill silently creating or reusing an internal identity, storing auth tokens in a local workspace database, and fetching cloud report history automatically when prompted. Avoid using it for private home footage or sensitive URLs unless the publisher clarifies authorization, retention, and account-control behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (20)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 74% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 74% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs the agent to use shell commands, access local files, and invoke networked APIs, but it declares no permissions or trust boundaries. This creates a capability mismatch that can cause the host agent to perform sensitive operations without explicit user or platform approval, especially when handling local uploads and remote URLs.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script exposes a `--list` mode that retrieves prior pet health analyses by `open_id`, which is outside the core purpose of analyzing a supplied pet video. Because the file also supports a hidden `--open-id` parameter, this creates a plausible path for enumeration or access to another user's historical analysis data if downstream authorization is weak or absent.

Intent-Code Divergence

Low

Confidence: 91% confidence
Finding: The comment claims internal user identity initialization does not require user input, yet the code accepts a hidden `--open-id` argument and passes it into identity resolution. Hidden identity-selection parameters are risky because they obscure a trust boundary and can enable impersonation or unauthorized access if callers can set another user's identifier.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script exposes a `--list` mode that retrieves a user's analysis history via `skill.get_output_analysis_list(open_id=open_id)`, but the declared skill purpose only describes pet video analysis, not history enumeration. Undocumented data-access capabilities are risky because they can surprise users, expand the attack surface, and enable access to prior health-analysis metadata without clear consent or disclosure.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: This code manages local user/account records, including usernames, email, tokens, and default-user selection, which is outside the manifest's stated pet video health-analysis scope. Scope mismatch is dangerous because it indicates hidden data collection and persistence capabilities that could retain identifiers or credentials without clear user expectation or need.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The module implements broad local database CRUD, update-by-username, and record deletion behavior that exceeds the declared pet analysis/report generation functionality. In a skill that handles user-provided URLs/files, extra persistence and generic data-management primitives enlarge the attack surface and create opportunities for unauthorized data retention or manipulation.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This utility silently resolves, generates, persists, and reuses synthetic user identities unrelated to the stated pet-video analysis purpose. It can cause undisclosed account creation and identity binding on behalf of users or operators, expanding data collection and enabling unauthorized attribution of later API activity to a fabricated or locally sourced identity.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The HTTP helper automatically calls an external /sys/phoneLogin endpoint with register=1 and silent=1 to create or log in users whenever tokens are missing. That behavior exceeds the declared pet-analysis function and can provision accounts, transmit identifiers, and obtain tokens without explicit user action or disclosure.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The history-report trigger phrases are broad enough to match ordinary conversation, which can cause the skill to invoke cloud history queries unexpectedly. Because the history function is tied to internally managed identity and retrieves prior reports, accidental activation can expose sensitive report metadata or links without sufficiently clear user intent.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The default activation rule says the skill should trigger whenever a user provides a pet video URL or file for analysis, but it does not define precise boundaries or exclusions. This ambiguity can lead to the skill activating on loosely related content and automatically processing local files or remote URLs, increasing the chance of unintended data transfer to the backend service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill accepts either a local file path or a remote URL and forwards the file contents or URL to a backend analysis service without any visible consent, warning, or trust-boundary disclosure in this code path. Because pet videos may contain sensitive metadata, private home environments, or authenticated/internal URLs, this creates a real privacy and data-exposure risk if users do not understand that their content is being transmitted off-device.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The analysis path sends a local file path or remote URL into backend processing through `skill.get_output_analysis(input_path)` without any explicit notice that user-supplied pet videos may be transmitted to an external service. In this skill context, the content is potentially sensitive health-related media, so silent transmission creates privacy and consent risks even if the backend is legitimate.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code reads an identity value from a local workspace file named like an API key and reuses it as an open-id without user-facing notice. This can silently couple local secrets or operator-provided identifiers to remote requests, creating privacy and authorization surprises outside the pet-analysis scope.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The request helper automatically injects pnaUserName, tenant/platform metadata, and authentication headers including X-Access-Token, X-Api-Key, and Authorization into outbound requests. In a skill that accepts user-provided pet videos or URLs, this hidden transmission broadens data sharing and authentication scope without clear consent or minimization.

External Transmission

Medium

Category: Data Exfiltration
Content: "source": ConstantEnum.DEFAULT__SKILL_HUB_NAME } try: _response = requests.post(_url, json=_data) if _response.status_code == 200: _response_json = _response.json() if _response_json and _response_json.get("success"):
Confidence: 95% confidence
Finding: requests.post(_url, json=

Unvalidated Output Injection

High

Category: Output Handling
Content: try: # 执行命令 # result = subprocess.run( # cmd, # capture_output=True, # text=True,
Confidence: 95% confidence
Finding: subprocess.run( # cmd, # capture_output

Hidden Instructions

High

Category: Prompt Injection
Content: |---|---| | 📚 文档读取 | 仅在需要时读取参考文档，保持上下文简洁 | | 📁 格式支持 | 视频要求：支持 mp4/avi/mov 格式，最大 10MB | | 🧑‍⚖️ 结果性质 | 分析结果仅供健康参考，不能替代专业宠医诊断 | | 🚫 脚本限制 | 禁止临时生成脚本，只能用技能本身的脚本 | | 🌐 网络地址 | 传入的网路地址参数，不需要下载本地，默认地址都是公网地址，api 服务会自动下载 | | 📜 报告输出 | 当显示历史分析报告清单的时候，从接口返回 json 数据中提取字段作为超链接地址，且自动转化为如下 Markdown |
Confidence: 90% confidence
Finding: ‍

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High

Category: YARA Match
Content: --- name: "pet-analysis" description: "Triggers when a user provides a video URL or file of a pet (cat/dog/bird) for analysis; supports local video uploads or network URLs to call server-side APIs for health checks, analyzing features like fur, body, and face to identify potential diseases and generate a Pet Safety Guardian health report. | 猫狗宠物健康诊断分析工具，当用户提供猫/狗/鸟等宠物的视频 URL 或文件需要分析时，触发本技能进行宠物健康诊断分析；支持通过上传本地视频或网络视频 URL，调用服务端 API 进行宠物健康检查，分析毛发、身体、脸部等特征，识别潜在疾病并输出宠安卫士健康报告" license: "MIT-0" ---
Confidence: 87% confidence
Finding: description:; ‍

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal