爬行类宠物健康诊断分析工具

Security checks across malware telemetry and agentic risk

Overview

The skill has a plausible reptile-health purpose, but it under-discloses account creation, personal identifier use, token storage, report-history access, and extra camera/monitoring-related code.

Review before installing. Only use it if you are comfortable sending pet videos or URLs, a username or phone-derived open-id, report history requests, and generated account tokens to the publisher's backend; ask the publisher to clarify token storage, account creation, history authorization, monitoring scope, media retention, and the yaml dependency first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (21)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 84% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 82% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The documented 7x24 camera monitoring and camera management features materially expand the skill from one-time video health analysis into persistent device monitoring. That broader surveillance capability increases privacy and security risk, especially if users did not intend to authorize continuous monitoring or camera administration.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: Claiming the skill is only for video-based diagnosis while also documenting monitoring operations is a scope-deception issue. Even if not overtly malicious, this inconsistency can mislead reviewers and users into granting trust or access under a narrower understanding of the skill's real capabilities.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill manifest describes reptile health video analysis, but this service class also exposes generic record-management methods such as add, edit, page/list, and delete. That expands the skill's effective capability beyond the user-declared purpose, increasing the risk of unauthorized data manipulation or unintended invocation paths if these methods are reachable through the agent or server-side routing.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documented API response clearly performs human-oriented face detection and constitution/organ diagnosis, which directly contradicts the skill’s stated purpose of reptile health analysis. In this context, the mismatch is dangerous because users may submit animal videos to a service that appears designed for human biometric/health inference, creating a strong risk of deceptive functionality, unintended collection of sensitive human data, or hidden repurposing of uploads.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The API behavior described in the document is fundamentally inconsistent with the advertised skill behavior: it accepts videos but returns human facial detection and traditional constitution diagnosis fields rather than reptile disease assessment. This indicates the skill may be misrepresenting what data is analyzed and for what purpose, which is especially risky for uploads and URLs because it could route user-provided media into an unrelated analysis pipeline without informed consent.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill advertises reptile video health analysis, but this service class also exposes generic page/list/add/edit/delete operations unrelated to that stated purpose. This broadens the skill’s effective capability surface and could allow callers or higher-level code to manage backend records or devices through an analysis-focused skill, violating least privilege and enabling unintended data or resource manipulation.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The add/edit/delete methods, especially delete(cameraSn), suggest the skill can perform CRUD operations on camera or other managed resources despite being presented as a reptile diagnostic tool. In this context, hidden resource-management capability is more dangerous because users and integrators would not expect destructive backend actions from a media-analysis skill, increasing the risk of unauthorized modification or deletion of operational assets.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill exposes a generic historical report listing capability that is broader than the manifest’s stated trigger of analyzing a user-provided reptile video or URL. If this method is reachable without strict per-user authorization in underlying APIs, it could reveal prior report metadata or report URLs beyond the current user’s intended session scope, creating an information disclosure risk.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This module implements a persistent generic user/account DAO with local database creation and CRUD operations, which is outside the stated purpose of reptile video health analysis. In a least-privilege review, hidden persistence for account data expands attack surface and creates data-retention risk without clear user need or disclosure.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The User model stores identity data and especially token/open_token values, capabilities not justified by the skill's manifest. Storing authentication artifacts in a local SQLite database materially increases the consequences of host compromise, accidental exposure, or misuse by unrelated code paths.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This utility file contains logic to silently create or log in users via `/sys/phoneLogin`, persist tokens, and return payment-upgrade instructions, which is outside the stated scope of reptile video health analysis. Embedding account lifecycle and monetization behavior in a generic request helper increases the risk of undisclosed account creation, unauthorized identity binding, and covert backend interactions whenever the skill performs network requests.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill says it analyzes user-provided videos and URLs through a server-side API, but it does not clearly warn that user content will be transmitted off-device. This is a privacy and consent issue because health-related pet media, metadata, and URLs may be sent to a remote service without sufficiently explicit disclosure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill states that uploaded attachments or media files are automatically saved locally, but it does not provide an explicit warning or consent flow for local storage. Silent persistence of user files increases privacy risk and can leave sensitive content on disk longer than users expect.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The function sends either a local file path or a remote URL to downstream analysis logic without any explicit user notice, consent prompt, or disclosure that third-party/server-side processing will occur. In a health-analysis skill handling user-supplied media, this creates a real privacy and data-handling risk because users may unknowingly transmit sensitive media or internal URLs to an external service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script requires an `--open-id` value that may be a user identifier, username, or phone number, but provides no notice about why it is needed, how it is stored, or whether it is transmitted to backend services. Collecting personal identifiers without transparency or minimization increases privacy, compliance, and misuse risk, especially when tied to uploaded pet-health media and analysis history.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation instructs clients to upload local video files or provide public video URLs for server-side analysis but gives no warning about retention, access controls, third-party processing, or handling of potentially sensitive content. Because the skill accepts rich media and remote URLs, the absence of privacy and data-handling disclosures increases the risk of users unknowingly sending personal or identifying footage to an opaque backend.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The CLI explicitly accepts an `--open-id` that may be a phone number, username, or other personal identifier, but provides no notice, minimization, masking, or validation around how that sensitive value is handled. In this skill context, the identifier is written into a global config value and then used in server-side analysis/list requests, creating privacy and compliance risk if operators supply phone numbers or other PII without clear consent or protection expectations.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The constructor automatically creates a local database file and mutates schema on initialization, with no visibility, consent, or clear necessity for the declared skill purpose. Silent persistence and schema changes are risky in an agent skill because they can create undeclared state, retain personal data, and surprise operators reviewing the component's behavior.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The network helper automatically attaches tokens, API keys, tenant identifiers, platform identifiers, and a username to outbound requests, and may also contact a secondary health endpoint to create or fetch an account. In the context of a pet video analysis skill, this creates undisclosed external data transmission and expands the privacy/security boundary beyond what a user would reasonably expect from submitting a reptile video.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal