Back to skill

Security audit

Pet Vocal Emotion Deep Classification | 宠物叫声情绪深度分类

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real cloud pet vocal-analysis tool, but it quietly adds account identity, token persistence, cloud history lookup, and report-link access beyond the simple classifier description.

Install only if you are comfortable with remote cloud processing and account-linked history. The skill may upload media or URLs, create or reuse an internal user identity, store tokens locally, and expose prior report links; avoid using it with sensitive media or shared workspaces unless those behaviors are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (34)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
83% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
83% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises no declared permissions, yet its documentation clearly instructs use of shell execution, network access, local file handling, and likely environment/state access. This creates a misleading trust boundary: reviewers and users may assume a low-risk audio classifier, while the skill can execute code paths that access local and remote resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is audio emotion classification, but the workflow also covers remote login, identity creation/reuse, local SQLite persistence, cloud history retrieval, and report-link exposure. This mismatch is dangerous because it conceals account-linked data processing and persistence behaviors that materially expand privacy, security, and abuse risk beyond the stated function.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The documentation expands the skill beyond simple audio classification into image/video analysis, cloud history lookup, report links, and suggestion/report output. Scope expansion without clear separation increases the chance of unintended data collection or tool invocation, especially when users believe they are invoking a narrowly bounded local analysis feature.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The skill says it will not provide advice, yet other sections say it outputs suggestions/advice. Contradictory instructions are risky because they can lead the agent to exceed intended safety boundaries and produce quasi-medical or behavioral guidance in a pet-health context.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented endpoints for paginated history queries and full report export expand the skill's apparent capability beyond the manifest's stated scope of returning only emotion classification results with confidence. This scope mismatch can enable unintended access to historical or richer report data, increasing the risk of over-collection, unauthorized disclosure, or downstream misuse if the agent exposes those APIs.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The API naming and report terminology consistently reference a broader 'health analysis' service, suggesting this skill may be backed by a more powerful API than the user-facing description implies. When a narrowly scoped skill fronts a broadly scoped backend, there is a real risk of privilege creep, accidental invocation of unrelated functions, or exposure of sensitive health-style report data outside the intended use case.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill exposes a historical report listing function via `show_analyze_list()` and the `--list` flag, which goes beyond the stated purpose of analyzing a single user-provided pet vocalization. This creates a data exposure risk because previously generated reports may be retrievable without clear authorization boundaries or user-facing disclosure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code resolves and uses an internal user identity through `OpenIdUtil.resolve_current_open_id(...)` and then uses `ConstantEnum.CURRENT__OPEN_ID` to access report history. For an audio emotion-classification tool, this identity linkage is not necessary for the core function and can enable access to user-associated records without transparent justification or robust access validation.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code unwraps and returns generic `commonAiResponse` and `healthAiResponse` objects and also emits a report export URL, which exceeds the manifest’s stated scope of only pet vocal-emotion classification results with confidence scores. This can expose broader backend report content or links than users would reasonably expect, creating a scope/authorization mismatch and potential unintended data disclosure.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The skill exposes report-history listing functionality via `get_output_analysis_list`, even though the manifest describes a trigger-and-analyze flow rather than report retrieval/history access. If callable by the hosting platform, this can reveal prior analysis metadata or reports beyond the immediate user request, expanding data exposure and attack surface.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The implementation materially diverges from the declared skill purpose: it presents itself as a pet vocalization emotion classifier but actually exposes a generic video analysis path via `skill.get_output_analysis(input_path)` and accepts arbitrary local files or URLs. This kind of scope mismatch is dangerous because callers, reviewers, and policy controls may trust the manifest’s narrow purpose while the code can process broader content than advertised, enabling unauthorized data handling or policy bypass.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The `--list` flow exposes historical analysis retrieval through `skill.get_output_analysis_list(open_id=open_id)`, which is not justified by the stated function of returning only current classification results. History-listing expands data access beyond the user’s immediate submission and can expose prior analyses or metadata, increasing privacy and authorization risk if `open_id` resolution or backend access control is weak.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This file exposes broad generic network capabilities including add, edit, delete, and arbitrary HTTP GET/POST/PUT/DELETE helpers that are unrelated to a skill described as read-only pet vocal emotion classification. If skill logic or upstream inputs can reach these methods, the skill can be repurposed to interact with arbitrary backend endpoints, expanding the attack surface well beyond audio analysis and enabling unintended data access or remote state changes.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The presence of add, edit, and delete methods indicates support for remote modification workflows, which conflicts with the manifest's stated behavior of only producing classification results from pet audio. In this context, write-capable operations are dangerous because they can be abused to alter remote resources or backend records under the cover of an apparently read-only analysis skill.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is described as performing pet vocalization emotion classification, but this module includes persistent user/account DAO functionality unrelated to that narrow purpose. Unnecessary identity persistence expands the data attack surface, increases privacy risk, and creates opportunities for misuse or lateral functionality beyond the declared skill scope.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores identity attributes plus token and open_token fields, which are powerful secrets and unjustified for an audio-emotion classification skill. If this database is accessed by unrelated components or compromised locally, stored tokens could enable account takeover, impersonation, or unauthorized API access well beyond the skill's stated function.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file defines a generic `ai_chat` capability that is unrelated to the stated pet vocal emotion classification purpose, expanding the skill's effective functionality beyond its declared scope. Even though the subprocess invocation is currently stubbed out, this hidden/general-purpose agent interface creates unnecessary attack surface and could later be wired to execute arbitrary prompts or actions without corresponding policy controls.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This utility code goes beyond the declared pet audio-emotion analysis purpose by resolving, generating, and persisting user identities from workspace files and a local database. That creates undisclosed identity management behavior and enables silent reuse of local credentials or synthetic identities, which is risky in a skill that users would expect to only analyze uploaded media.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The HTTP helper silently performs login/registration, loads tokens from local storage, refreshes them, and persists tokens for later reuse. For an analysis-only skill, this is dangerous because it introduces hidden account operations and credential handling that can transmit identity data off-box and expand the attack surface far beyond audio classification.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Reading a workspace API-key identity file and inferring workspace context is unrelated to the stated function of classifying pet vocal emotion. In this context, the behavior is suspicious because it can harvest local identity material and environment metadata without a user expectation that media analysis would inspect workspace internals.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Agent workspace discovery and automatic creation of data/skills directories are broader environment-management capabilities than this skill's declared analysis-only purpose requires. While not inherently malicious, this increases capability and persistence surface, making the skill more dangerous if combined with other code paths that store identities, tokens, or downloaded content.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Broad trigger phrases that automatically invoke cloud history lookup can cause the skill to access account-linked historical reports without sufficiently specific user intent. In a privacy-sensitive context, auto-triggering remote queries based on loose wording raises the risk of over-collection and unintended disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill omits a clear warning that uploaded files/URLs and report queries are sent to remote/cloud services. Users may reasonably believe analysis is local, so the missing disclosure undermines informed consent and can expose private media and account-linked metadata to external systems unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2