Back to skill

Security audit

Intelligent Public Smoking Detection Skill | 公共场所吸烟行为智能检测技能

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the advertised smoking-detection workflow, but it also silently creates or reuses cloud-linked user identity and stores tokens locally, which needs review before installation.

Install only if you are comfortable with submitted images/videos or URLs being processed by the vendor's remote service, report history being tied to an automatically managed identity, and local workspace storage of a generated user record plus session tokens. Review the publisher and service terms before using it on workplace, public-space, or personally identifiable footage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (26)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
75% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
75% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill directs use of local files, shell execution, network access, and likely environment/config handling, but declares no permissions or trust boundaries. This can mislead the host agent or reviewer about the skill's actual capabilities, increasing the chance of unsafe execution of file/network operations without proper user awareness or sandboxing.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The API documentation is clearly for a pet health analysis service and does not match the declared smoking-detection purpose of the skill. This kind of capability/documentation mismatch is dangerous because it can mislead integrators into calling unrelated endpoints, expose unintended backend functionality, or indicate the skill package was copied from another project without proper review, which increases the chance of hidden misrouting or unauthorized data handling.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script exposes a history/listing capability via `show_analyze_list(open_id)` that goes beyond the stated detection/alerting behavior in the manifest. If the backing API returns prior analyses tied to an internal identifier, this can enable unauthorized access to historical records or metadata, especially because the identity handling elsewhere in the script is weakly disclosed and potentially user-influenced.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module exposes a generic user-lookup helper (`get_user_by_username`) that is not clearly required for a smoking-detection skill. In a vision-detection context, this broad identity lookup capability expands access to potentially sensitive user information and can enable user enumeration or unauthorized correlation of surveillance results with identities if other parts of the skill misuse it.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file provides broad generic CRUD methods and arbitrary HTTP verb wrappers (`http_get`, `http_post`, `http_put`, `http_delete`) that are not specific to smoking detection. Such general-purpose network primitives significantly enlarge the skill's capability surface, making it easier for downstream code to call unintended internal or external services, bypass intended workflow restrictions, or repurpose the skill beyond its declared functionality.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The file contains a generic local user/account persistence layer, including usernames, real names, email, birthday, tokens, and open_token storage, which is unrelated to the advertised smoking-detection functionality. Hidden account-management capability broadens the skill's data collection and retention footprint, increasing privacy and misuse risk if operators do not expect user database behavior in a vision-analysis skill.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This module performs broad local database path rewriting, schema creation, schema alteration, and generic CRUD operations that go well beyond the manifest's stated smoking-detection behavior. The mismatch increases attack surface and creates an opportunity for covert state storage, sensitive data persistence, or unauthorized cross-component data sharing under the cover of a computer-vision skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This utility provisions a persistent default user identity, reads an identity from a workspace file, and stores the resolved identity in global runtime state. That behavior is unrelated to smoking detection and creates a hidden identity-management channel that can silently associate actions with a generated or recovered account, increasing privacy, accountability, and unauthorized-access risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The HTTP helper silently auto-registers or logs in a user via /sys/phoneLogin, obtains tokens, and persists them locally for reuse. For a computer-vision smoking-detection skill, this exceeds the declared functionality and introduces undisclosed account creation, credential handling, and remote service coupling that could be abused or surprise operators.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This code detects agent workspaces, locates skills/data directories, and mutates environment state by creating directories within the current workspace. While not inherently malicious, it is outside the expected scope of a smoking-detection feature and expands the skill's operational footprint, making persistence and cross-workspace side effects more likely.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The history-report auto-trigger phrases are broad enough that ordinary user requests could unintentionally invoke cloud history retrieval. That creates a risk of over-collection or disclosure of prior report metadata without sufficiently clear user intent, especially because the skill says this should happen automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that uploaded attachments and media will be automatically saved locally, but it does not provide a clear warning, retention policy, or storage boundary. Local persistence of user media can expose sensitive imagery or video to unintended access, later reuse, or leakage from the host filesystem.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill requires cloud/API-based retrieval and analysis of user-provided URLs and media, but it does not clearly warn users that their media or referenced content may be transmitted to a remote service. This creates privacy and compliance risk, especially for surveillance footage or sensitive workplace/community imagery.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends local media paths or remote URLs to an analysis backend through `skill.get_output_analysis(...)` without clearly warning the user that content may leave the local environment. For images/videos from public places, this can expose sensitive visual data, personal information, or surveillance footage to an external service without informed consent or policy acknowledgment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script resolves and uses an internal `open_id` without prominently disclosing that user identity information is being derived and applied. In a surveillance-oriented skill, silent identity association increases privacy risk and can link analysis actions or historical data to a user account without transparency.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code reads an arbitrary local file path, loads the entire file into memory, and submits its contents to an external analysis API without any user-facing consent, disclosure, or confirmation at the point of transfer. In a skill that may be invoked by an agent or automation layer, this creates a data exfiltration/privacy risk if a sensitive local file is provided intentionally or by mistake.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill accepts a user-supplied remote video URL and sends it to a backend analysis service via `skill.get_output_analysis(input_path)`, but the CLI provides no clear warning that user content or referenced remote resources may be transmitted to an external service. In a video-surveillance/smoking-detection context, the data may include sensitive footage, locations, or personal information, so undisclosed transmission creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
65% confidence
Finding
The save routine overwrites whatever path it is given and suppresses all exceptions, creating a silent arbitrary-file-write primitive if an attacker can influence the path argument. In a shared skill runtime, this can tamper with configuration, disable safeguards, or corrupt application state without leaving clear error signals.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The file helper opens arbitrary paths for writing and creates directories without any validation, restriction, or user-visible disclosure. In an agent environment, this can enable unintended overwrites or silent persistence if higher-level code passes attacker-influenced paths or uses the helper for opaque state changes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code derives workspace paths from environment or script location and then creates data/skills directories automatically. Because the target path can be influenced by deployment environment and the action is silent, it can create persistence locations or modify unexpected workspaces without clear operator awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The request utility sends user identity and authentication material in headers and request bodies, and may also print request/response details in debug mode. In the context of a smoking-detection skill, this undisclosed transmission is especially concerning because operators would not reasonably expect unrelated identity propagation and token use from local vision-processing functionality.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
93% confidence
Finding
requests.post(_url, json=

Hidden Instructions

High
Category
Prompt Injection
Content
|---|---|
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 支持格式:视频支持 mp4/avi/mov 格式,图片支持 jpg/png/jpeg 格式,最大 10MB |
| 🧑‍⚖️ 结果性质 | 分析结果仅供控烟管理参考,具体处置请按单位相关规定执行 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能用技能本身的脚本 |
| 🌐 网络地址 | 传入的网络地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载 |
| 📁 格式支持 | 当显示历史检测报告清单的时候,从数据 json 中提取字段  作为超链接地址,使用 Markdown 表格格式输出,包含" |
Confidence
82% confidence
Finding

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2