微观情绪识别分析工具

Security checks across malware telemetry and agentic risk

Overview

This skill handles sensitive face video and identity data, but its package includes under-disclosed health profiling, credential-like identifier handling, persistent tokens, and backend mutation tools beyond the stated emotion-analysis purpose.

Review this carefully before installing. Use it only if you are comfortable sending facial videos or video URLs, user identifiers, and possibly health-related derived data to the provider's backend. Do not provide real API keys as open-id values, avoid phone numbers or personal identifiers unless strictly required, and prefer a version that removes silent account creation, token persistence, generic CRUD/delete helpers, and clearly documents biometric data handling and retention.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (24)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to read local/workspace config files to obtain an api-key and repurpose it as an open-id, even though facial emotion analysis does not inherently require inspecting unrelated local secrets. This creates a path for unauthorized secret harvesting from the workspace and could expose credentials to the skill or remote API.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documented flow tells the agent to read an api-key field and use it as the open-id, conflating authentication credentials with a user identifier. This can cause credential misuse, accidental disclosure of secrets in downstream requests, and confusion about identity and authorization boundaries.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The documented endpoint behavior is materially inconsistent with the skill's stated purpose of facial micro-expression emotion analysis. Instead of emotion outputs, it returns health/constitution and organ-condition inferences from video, which indicates scope mismatch and possible deceptive or undisclosed biometric/health profiling. In this context, users may submit sensitive facial videos expecting emotion analysis but receive or trigger health-related inference processing, creating significant privacy, consent, and misrepresentation risk.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is described as performing emotion-analysis, but this API wrapper also exposes generic record-management operations including listing, adding, editing, paging, and deleting records. That creates a capability mismatch between the declared purpose and the actual available actions, which can enable unauthorized data manipulation or expansion of scope if the agent or downstream callers can invoke these methods.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The delete() method allows removal of records by cameraSn, which is unrelated to the stated purpose of facial micro-expression analysis and introduces destructive capability into the skill. In an agent context, exposing deletion behind a broadly scoped skill increases the risk of accidental or unauthorized destruction of camera- or analysis-associated data, especially if callers can supply arbitrary identifiers.

Description-Behavior Mismatch

Medium

Confidence: 75% confidence
Finding: The history-listing capability expands the skill beyond analysis into retrieval of prior user activity, which is outside the stated purpose and may expose historical analysis data tied to a user identifier. In this context, undeclared access to prior records increases privacy and data-minimization risk, especially because the tool takes an open-id that may map to a real user account.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: This file exposes unrestricted generic HTTP methods and CRUD-style wrappers that can send requests to arbitrary URLs, which is far broader than what an emotion-analysis skill should need. In a plugin/agent setting, this creates a powerful network primitive that could be abused for unauthorized outbound requests, data exfiltration, SSRF-like access to internal services, or hidden secondary functionality unrelated to the declared skill purpose.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The implementation is a reusable general-purpose API client rather than code specifically tied to facial micro-expression analysis, which indicates capability drift from the stated skill purpose. While not inherently exploitable on its own, this mismatch increases risk because hidden generic infrastructure can be repurposed to perform unrelated actions and makes review, policy enforcement, and trust decisions less reliable.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The skill claims to perform facial micro-expression emotion analysis, yet this module defines persistent user-account storage and mutation capabilities unrelated to that purpose. That mismatch expands the data-handling surface and creates unjustified collection and retention of identity-linked data, which is especially concerning in a sensitive inference context like emotion analysis.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The schema stores authentication-like tokens, open tokens, email, birthday, sex, and age despite no clear connection to the declared emotion-analysis functionality. Collecting and persisting such sensitive profile and credential-adjacent data without evident necessity increases the risk of privacy harm, account compromise, and unauthorized profiling if the database is accessed or reused improperly.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file exposes a generic `ai_chat`/agent-invocation interface that is unrelated to the declared facial micro-expression analysis purpose of the skill. In a skill ecosystem, hidden or extra capabilities increase attack surface, enable policy bypass through repurposing, and make security review and permission scoping harder because the code can be used for arbitrary prompt handling rather than the advertised task.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The docstring and surrounding comments claim the method invokes `openclaw agent` via subprocess, but the implementation uses an empty dict and then accesses `result.stderr` and `result.stdout`. This deceptive mismatch is dangerous because it obscures the real behavior, undermines auditability, and could later be swapped back to real subprocess execution without corresponding review; even in its current form it creates unstable behavior and exception-driven control flow that hides failures.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This utility implements broad authenticated HTTP access, token attachment, automatic user lookup/provisioning, retry logic, and backend-specific request shaping that goes far beyond a narrowly scoped emotion-analysis skill. In this context, the code enables hidden account-backed API activity and expands the skill's effective privileges and data reach without any visible user consent boundary.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The _get_or_create_user helper performs a phone-login style request with silent registration semantics using a username/mobile/openId, which can create or authenticate backend users implicitly. For an emotion-analysis skill, this is unrelated functionality and creates a serious risk of unauthorized account creation, identity misuse, and undisclosed transmission of user identifiers to a remote service.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code returns instructions to install a payment skill and recharge an account when a 402 condition occurs, embedding monetization workflow handling unrelated to emotion analysis. This broadens the skill's operational scope and can steer users into additional installs or purchases from within backend error handling, which is inappropriate and potentially deceptive in a narrowly described analytical tool.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger conditions include broad emotion-analysis and history-report keywords that can auto-invoke the skill in ambiguous contexts. Because the skill performs biometric/emotional analysis, local file saving, and remote API access, overly broad activation increases the chance of unintended processing of sensitive media or report retrieval without sufficiently specific user intent.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill handles highly privacy-sensitive biometric and inferred emotional data and states that uploaded attachments or videos are automatically saved locally, but it does not present a clear upfront warning or consent flow. Users may unknowingly expose facial data, inferred mental-state information, and persisted local copies, creating significant privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The script requires an open_id and stores it in process-wide configuration before invoking list and analysis operations, but provides no explicit privacy disclosure, minimization, or validation around this identifier. Because the identifier may be a username or phone number, this can expose personal data to backend services and logs without informed user consent or least-data handling.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: When a remote video URL is provided, the script forwards that URL to the backend analysis service without clear disclosure that user-supplied content references will be transmitted off-host. This creates a privacy and trust risk, especially if URLs contain sensitive query tokens, internal locations, or access-controlled resources.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The API documentation instructs users to upload videos or provide public video URLs along with an API key, but provides no warning about transmitting sensitive biometric data, retention, third-party processing, or handling of public-link content. Because the skill analyzes faces, the submitted data is inherently sensitive, and the absence of privacy and security guidance can lead to unauthorized collection, exposure, or misuse of personal data.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill reads arbitrary local file contents into memory and uploads them, or forwards a user-supplied remote video URL to the analysis service, without any visible consent, warning, or destination transparency in this code. In a biometric/emotion-analysis context, this is more sensitive than ordinary media handling because users may unknowingly send highly sensitive facial data or private local videos to a third-party service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The CLI requires a sensitive identifier (`open-id`) and sends input for remote analysis, yet it provides no explicit privacy notice, consent prompt, or explanation of what data is transmitted, stored, or linked to the identifier. In a skill handling videos and inferred emotional-state data, this is particularly risky because both the raw media and derived analysis may be highly sensitive personal data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The request flow transmits user identifiers and authentication headers, and it injects fields such as pnaUserName, tenantCode, and platform metadata into outbound requests without any visible disclosure or consent mechanism in this file. Because this is an emotion-analysis skill, undisclosed sharing of identity and account context is more concerning than in a clearly account-management-oriented integration.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code reads, caches, and persists sensitive authentication material including token and openToken, and updates stored user records with these values. Storing and reusing authentication secrets in a generic utility without clear protection, lifecycle controls, or disclosure creates significant risk of credential compromise and unauthorized API access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal