Fish Abnormal Swimming Posture (Side-swim / Upside-down) Detection | 鱼类游动姿态异常（侧游/倒立）识别

Security checks across malware telemetry and agentic risk

Overview

The skill is mainly for cloud-based fish video analysis, but it under-discloses account creation, local token storage, and has an unsafe dependency entry, so it should go to Review before installation.

Install only if you trust the publisher and are comfortable sending aquarium videos plus a user identifier to the Life Emergence/SMYX cloud service. Avoid using a phone number as open-id if possible, review or remove the bad yaml dependency before installation, and treat the local workspace database as sensitive because it may contain authentication tokens.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (21)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 84% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 84% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Requiring an open-id derived from a username or phone number to analyze fish videos or fetch reports is not justified by the stated functional need and creates unnecessary collection of personal identifiers. Tying a simple analysis workflow to personal identity increases privacy risk, enables account correlation, and expands harm if the backend or local storage is compromised.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill scope expands from local visual analysis into cloud history retrieval and user-app alerting workflows that are not clearly reflected in the top-level description. Hidden or under-disclosed backend interactions increase the chance that users and reviewers misunderstand what data is sent off-device and what downstream actions may occur.

Description-Behavior Mismatch

Low

Confidence: 87% confidence
Finding: The script exposes a history-listing function keyed only by an externally supplied open_id, and the code shown performs no authentication, authorization, or ownership check before retrieving data. If the downstream implementation honors this parameter directly, an attacker who can invoke the script could enumerate or access another user's analysis history, creating an insecure direct object reference/privacy issue. In this skill context, the data is aquarium monitoring history rather than highly sensitive human medical data, which lowers severity somewhat but still creates unauthorized data exposure risk.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documented response schema clearly describes human face detection, constitution diagnosis, organ-condition inference, and health advice rather than fish swimming-posture analysis. This is a true capability mismatch that can cause the skill to send aquarium video or operator-provided media to an unrelated human-analysis endpoint, indicating either severe integration error or deceptive documentation.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The API behavior includes face detection and human health diagnosis, which are unjustified for a fish-monitoring skill and materially expand data processing into sensitive biometric and health domains. In this context, hidden or undocumented human-analysis capability is especially dangerous because aquarium cameras may capture people in the background, enabling unintended collection or inference of personal data.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The manifest and skill description promise fish abnormal-swimming detection, but the referenced API is a generic 'common-analysis' service returning human health imagery results. This discrepancy undermines trust boundaries, suggests the skill may invoke an unrelated backend, and can result in users unknowingly sending video to a service with materially different processing purposes.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This file exposes generic add/edit/delete/list and arbitrary HTTP verb helpers that are not scoped to fish-swimming analysis. In an agent skill context, this broad network capability can be repurposed to interact with unrelated backend endpoints or external services, expanding the attack surface well beyond the stated function of analyzing aquarium video and reporting health metrics.

Context-Inappropriate Capability

Low

Confidence: 79% confidence
Finding: The download-URL generator grants access to externally stored objects via a caller-supplied tosKey and expiration value. If exposed to untrusted inputs or used without authorization checks, it could be abused to retrieve unintended objects or facilitate unauthorized data access beyond the fish-analysis use case.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file implements a generic local DAO plus a sys_user table with create, update, delete, and query operations, which is unrelated to the stated fish abnormal-swimming detection capability. Hidden persistence and account-data handling in an unrelated skill broadens the attack surface, can store unexpected user data locally, and may be used as unauthorized side-functionality outside the advertised purpose.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The User model stores authentication/profile-style fields including username, email, token, and open_token without any clear relation to aquarium video posture analysis. Storing tokens in a local SQLite database increases the chance of credential leakage, misuse, or unintended retention, especially if the host running the skill is compromised or if the database path is broadly accessible.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This utility performs authenticated outbound API access, injects app/user identity headers, and contains account bootstrap logic unrelated to aquarium video posture analysis. In the context of a fish-health monitoring skill, these hidden capabilities materially expand the trust boundary and enable transmission of identifiers and tokenized access to external services without clear necessity or user awareness.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code automatically creates or logs in a user against a health backend using a username/mobile/openId, with silent and register flags enabled. That is an unjustified capability for a fish abnormal-swimming detection skill and could create accounts or transmit personal identifiers to a remote service without informed consent.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The utility loads, stores, updates, and retries with authentication tokens and persisted user records, increasing the sensitivity of the skill beyond its stated purpose. Token persistence and mutation create risks of credential misuse, unintended cross-user access, and silent continued communication with external systems if the local storage or DAO layer is compromised.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation describes uploading video files or public video URLs to a remote service using an API key, but it provides no privacy, retention, sharing, or handling disclosures despite the endpoint appearing to process potentially sensitive human biometric and health-related data. Because the referenced API unexpectedly performs face and health analysis, the lack of warning is more dangerous than in an ordinary fish-only telemetry workflow.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: When a local path is provided, the code reads the entire file and sends it to a remote analysis service via `self.analysis(...)` without any user-facing notice, consent prompt, or visible disclosure in this skill layer. That creates a real privacy and data-handling risk because users may reasonably believe processing is local, while sensitive video content is actually transmitted off-device.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The CLI requires an --open-id value and stores it in a global current-user field, but provides no warning, minimization guidance, or privacy notice despite examples indicating it may contain a username or phone number. This can lead users to supply personally identifiable information without understanding retention, downstream use, or exposure risks in logs and backend services.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The tool accepts a local file path or remote URL for video analysis and passes the input to skill.get_output_analysis(), with error handling explicitly referencing API requests, but gives no user-facing notice that video content may be transmitted to an external service. Because aquarium video may still contain sensitive environmental or personal data, silent upload/processing creates a real privacy and consent risk.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: Initialization automatically creates a SQLite database file and later mutates schema state without any user-facing disclosure. Silent local persistence and schema changes are risky in a skill whose declared purpose is video health analysis, because operators may not expect account data or local databases to be created as a side effect.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code sends a POST request to a remote login endpoint and includes user-linked fields such as mobile/openId without any user-facing disclosure in this file. For a fish-monitoring skill, undisclosed network transmission and account provisioning are especially problematic because users would not reasonably expect personal data handling outside the aquarium-analysis function.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal