Back to skill

Security audit

Thermal Relative Fever Screening (Multi-Person Gathering) | 家庭多人聚集时体温相对异常检测

Security checks across malware telemetry and agentic risk

Overview

This skill has a real thermal-screening purpose, but it needs review because it sends sensitive health-related media to cloud services and silently manages persistent identity and token data.

Install only if you are comfortable sending thermal household or public-area footage, report metadata, and local identity/account identifiers to the publisher's cloud services. Before use, confirm that every recorded person has consented, understand where reports are stored, and consider the local SQLite database because it may retain profile data and authentication tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill directs the agent to invoke local Python scripts, save user-provided files, access network URLs, and query cloud APIs, yet it declares no permissions or capability boundaries. This creates a transparency and control gap: a host system may auto-run a skill with filesystem, shell, network, and environment access beyond what users or policy engines expect, increasing the risk of unauthorized data exfiltration or unsafe command execution paths.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill accepts arbitrary HTTP/HTTPS video URLs and forwards them to the backend analysis service, which expands the skill beyond the stated fixed-camera screening use case. This creates a capability mismatch that can enable analysis of unintended third-party or remote content and may facilitate privacy abuse or unauthorized processing of externally sourced surveillance footage.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill exposes report listing and export-link generation features that are not described in the manifest's narrow screening purpose. Undocumented retrieval/export capabilities increase the risk of unauthorized access, broader data exposure, and misuse of potentially sensitive health-related analysis outputs.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill is described as thermal fever-screening analysis in public areas, but this shared DAO persists personally identifiable user profile data including username, real name, email, birthday, age, and sex. Collecting and storing identity data unrelated to the stated function increases privacy risk, expands breach impact, and creates unnecessary linkage between biometric/health-adjacent observations and personal identity.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
Storing token and open_token fields in a local SQLite user table is unrelated to a local thermal anomaly detection skill and materially increases the sensitivity of the datastore. If the database is accessed by another component, copied from the shared workspace, or exposed through debugging/logging, these credentials could enable account compromise or lateral access beyond this skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file defines a generic `ai_chat(prompt, session_id, timeout)` capability that is unrelated to the stated fixed-purpose thermal fever-screening function. Even though the subprocess body is currently commented out and the implementation is broken, this creates an unjustified interface for arbitrary agent interaction that could later be enabled and repurposed for broader actions than the skill description permits.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Accepting arbitrary `prompt` input for an agent invocation is an unnecessary and risky expansion of capability for a fixed-function thermal screening skill. In context, this mismatch is more dangerous because a public-area health-monitoring skill should be tightly constrained, whereas this code introduces a reusable agent-execution primitive that could be abused for unintended data handling or unsafe downstream actions if completed.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The utility code performs generic account provisioning, token handling, and authenticated API access that are unrelated to the stated thermal fever-screening purpose. This creates an unnecessary capability for remote service interaction and identity bootstrap, expanding the attack surface and enabling silent backend actions under a locally derived user identity.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code reads a local API-key-like file, reuses existing identities, and creates persistent default user records when no identity is supplied. For a public-area fever-screening skill, silently establishing and persisting platform identities is unjustified and risks hidden account linkage, unexpected data association, and unauthorized service usage.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This code inspects agent workspace layout and creates data/skills directories, giving the skill broader filesystem awareness and persistence primitives than are needed for simple fever-screening analysis. In context, this is suspicious because it facilitates installation-side effects and local state creation outside the narrow operational scope of temperature comparison.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The default trigger activates whenever a user provides a thermal video URL or file, which is overly broad for a skill that uploads or processes sensitive health-related imagery. This can cause unintended automatic handling of thermal-health media and downstream cloud/API actions without a sufficiently specific user request or informed consent.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The keyword activation list includes broad health and gathering-related phrases that can ambiguously match benign conversation, causing the skill to auto-trigger in contexts the user did not intend. In a health-monitoring skill tied to cloud processing and report retrieval, ambiguous activation increases the chance of accidental processing of sensitive data and unnecessary external API use.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill handles thermal video and derived health-related reports, and it explicitly references cloud queries and API-based processing, but it does not clearly warn users that sensitive biometric/health data may be transmitted to and stored by remote services. This is especially dangerous because the content concerns household members, children, and elderly people in private spaces, making uninformed collection and cloud processing a serious privacy and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code reads local file contents and sends them to the analysis service, but this file contains no user-facing disclosure, confirmation step, or visible consent mechanism. For a health/thermal analysis skill handling potentially sensitive video, silent upload of local media increases privacy and data-handling risk.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill submits user-provided remote video URLs to the backend analysis service without any visible disclosure in this code path. While less direct than local file upload, it still enables processing of potentially sensitive third-party video sources without transparent notice or clear consent boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The utility exposes file-writing and directory-creation helpers that can modify workspace state without any user-facing disclosure or consent mechanism. While simple on their own, these primitives enable silent persistence and side effects that are not obviously required for the advertised screening behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code reads identity-related state from environment variables and a local credential-like file without making that behavior visible to the user. This can silently bind skill actions to an existing account or secret, which is especially problematic when paired with later outbound authenticated requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code auto-creates local user records and persists them to storage without user-facing notice. Even if intended as convenience behavior, it creates durable identity state and potential tracking/account-coupling that is unrelated to the thermal screening function.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The request logic transmits usernames/open IDs and authentication tokens in outbound HTTP requests without any explicit user disclosure in the skill context. For a skill that should primarily analyze thermal imagery locally or minimally, silent authenticated network transmission materially increases privacy and security risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code stores remote user info and refreshed tokens locally after network operations, creating persistent authentication material on disk without clear user awareness. This increases the consequence of local compromise and broadens how long and where credentials remain exposed.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
95% confidence
Finding
requests.post(_url, json=

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2