Back to skill

Security audit

Vocalization Health Analysis | 畜禽声纹健康分析

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does the advertised remote media analysis, but it silently creates or reuses an identity and stores remote tokens, so it needs review before installation.

Install only if you are comfortable sending livestock audio/video or supplied URLs to lifeemergence.com/open.lifeemergence.com services and allowing the skill to silently create or reuse a local identity. Review and clear workspace data/smyx-api-key.txt and the generated data/smyx-common-claw.db if you do not want identity values or tokens reused across runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (25)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
78% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
78% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to read/write local files, invoke shell commands, access network resources, and potentially use environment-derived identity/configuration, yet no explicit permissions are declared. This creates a capability/expectation mismatch that can bypass policy review and surprise operators, especially because the workflow includes automatic local file saving and cloud API access.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script exposes a history-listing function keyed to an internal user identity (`open_id`) even though the skill description is limited to analyzing vocalizations and returning health hints. This creates a privacy and scope-expansion risk: if identity resolution or authorization is weak in the underlying helpers, a caller may access prior analysis records unrelated to the current input.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation materially contradicts the manifest: it presents and operates as a generic video-analysis CLI rather than a livestock vocalization respiratory-health analyzer. This kind of capability mismatch is dangerous because users and orchestrators may route sensitive animal-health workflows or trust decisions to a tool that actually sends arbitrary video inputs to another analysis path, creating deception, misclassification, and unintended data exposure risks.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The user-facing strings explicitly describe the tool as a video analysis utility, which directly conflicts with the stated livestock vocalization health-analysis purpose. In a security context, contradictory documentation increases the chance of unsafe delegation, misleading operator trust, and accidental submission of inappropriate or sensitive media to an external backend.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This file exposes generic CRUD and raw HTTP client helpers that can call arbitrary URLs, which materially exceeds the manifest's stated purpose of livestock vocalization health analysis. In an agent-skill context, these broad network capabilities expand the attack surface and can be abused for unintended remote actions, data exfiltration, or acting on external systems if higher-level code passes untrusted inputs.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code performs remote resource management and user lookup operations that are not reflected in the manifest's description of an analysis-only health skill. This mismatch is dangerous because hidden or undeclared capabilities reduce operator visibility and permit the skill to interact with external systems in ways users and reviewers would not reasonably expect.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
A generic user/account DAO with token persistence is unrelated to livestock vocalization health analysis and materially expands the data-handling scope of the skill. In context, this mismatch is dangerous because it enables collection and storage of identity and authentication data not justified by the declared functionality, increasing privacy and credential exposure risk.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This module provides broad local database creation and CRUD capability that exceeds a read/analyze-only health inference use case. In this skill context, unnecessary persistence broadens attack surface, invites accidental retention of sensitive data, and creates capability for unrelated stateful behavior beyond the manifest.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The model stores username, realname, email, birthday, age, and especially token/open_token, none of which are justified for animal vocalization health analysis. Persisting these fields creates unnecessary collection of personal and credential-like data, and if the local SQLite database is accessed by another component or user, the impact includes account compromise and privacy breach.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The utility code performs remote account bootstrap, token retrieval, token caching, retry logic, and authenticated API calls that are unrelated to the stated livestock vocalization health-analysis purpose. This materially expands the skill's privilege and data-handling scope, enabling covert identity use and authenticated network activity under the user's workspace context.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code reads identity-like values from workspace files and a local database, then reuses them as a current open-id without clear necessity for audio health analysis. This creates an implicit credential/identity harvesting path and can bind the skill's actions to a local user context without informed consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill detects agent workspace layout and creates data and skills directories, which exceeds what is needed for simple vocalization analysis and enables broader filesystem awareness and modification. In this context, that extra capability increases the chance of persistence, cross-skill interference, or unauthorized access to workspace-resident data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The history-report triggers are broad phrases such as 'history report' or 'show all reports', which can cause unintended cloud queries without strong user intent confirmation. In a skill that auto-associates an internal identity and retrieves prior reports, overly broad triggers increase the risk of unauthorized or surprising disclosure of historical data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that uploaded attachments and audio/video files are automatically saved locally, but does not present a clear user-facing warning or consent notice near the behavior. Silent local persistence of user-provided media can create privacy, retention, and data-handling risks, especially for recordings that may incidentally contain human speech or sensitive operational details.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill reads arbitrary local file contents and uploads them to an external analysis service without any user-facing notice, consent prompt, or clear disclosure in this code path. In an agent environment, this can lead to unintended exfiltration of sensitive local media or mislabeled files if a user or higher-level workflow passes a local path expecting only local processing.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill forwards user-supplied remote URLs directly to the analysis backend without disclosing that a third-party service will fetch or process that URL. This can expose private or sensitive URLs to the backend and create unexpected data-sharing behavior, especially if users assume the agent is only handling metadata locally.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script accepts a hidden credential-related parameter (`--api-key`) while suppressing it from help output and providing no user-facing explanation of how secrets are handled. Hidden secret-bearing interfaces reduce transparency, can bypass normal review by users or wrappers, and increase the risk of credentials being passed insecurely via command lines, logs, or process listings.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool allows analysis of a user-supplied remote URL and forwards that input into an external analysis workflow with minimal disclosure about where data goes or what is fetched. In this skill context, the mismatch between a health-analysis manifest and a generic remote media analysis path makes the behavior more suspicious because users may unknowingly expose sensitive farm or operational media to third-party services.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The delete wrapper performs remote deletion through a generic POST call with no visible authorization checks, endpoint restriction, safety confirmation, or scope limitation in this file. In the context of a skill whose stated purpose is analysis-only, exposing a generic remote delete capability is riskier because it enables destructive side effects that are unexpected and potentially reachable through other components.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The helper exposes file writes and directory creation with no user-facing disclosure or confirmation. In a shared utility used by a health-analysis skill, silent filesystem modification can be abused for unwanted persistence, data tampering, or writing artifacts outside user expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently reads a credential-like file, data/smyx-api-key.txt, and reuses its contents as an internal identity value. Accessing local secret or identity material without disclosure is dangerous because it can repurpose existing workspace credentials for network actions unrelated to the declared function.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The request layer automatically transmits user identifiers and authentication tokens in headers and request bodies, while also performing implicit login and token refresh behavior. For a livestock vocalization analysis skill, this is a disproportionate and undisclosed data transmission path that could expose identities, tokens, and tenant context to remote services.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
94% confidence
Finding
requests.post(_url, json=

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2