Ornamental Fish Color Brightness Assessment | 观赏鱼体色鲜艳度评估

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as fish color assessment, but its artifacts include broad cloud media upload, account/token handling, and unrelated human-health analysis materials that need review before use.

Install only if you are comfortable sending aquarium images/videos, media URLs, and an open-id or username to the LifeEmergence/SMYX cloud services. Avoid using human footage or sensitive camera content with this skill, and review or remove the shared account/token persistence and unrelated human-health analysis artifacts before deploying it in a shared or production environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (22)

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The manifest frames the skill as image-based fish vibrancy assessment, but the instructions also require cloud history queries and user/account identification workflows. That hidden functional expansion increases privacy risk because identifiers and historical reports may be processed remotely without being core to the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill instructs reading configuration files to obtain an API credential/open-id, including from workspace-level paths. Accessing local configuration secrets for a user-facing fish-analysis workflow is overprivileged and can expose credentials or enable unintended cross-skill secret reuse.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill manifest describes a read-oriented fish color/brightness assessment workflow, but this file also exposes add, edit, and delete record-management operations. That expands the skill's effective capability beyond its declared purpose, increasing the attack surface and enabling unauthorized modification or removal of camera/analysis records if these methods are reachable through the agent or API layer.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The delete(cameraSn) method introduces destructive capability that is not justified by the stated fish color assessment use case. If exposed to untrusted callers or misused by an agent, it could delete camera-linked records or configurations, causing data loss or service disruption in aquarium monitoring deployments.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documented response schema describes human face detection, constitution assessment, organ-condition inference, and health advice, which is unrelated to the declared fish color-brightness skill. This indicates severe skill/API mismatch and creates a realistic risk that users or integrators may unknowingly send human imagery or receive human-health inferences through a skill presented as aquarium analysis, resulting in deceptive capability exposure and possible processing of sensitive biometric/health data.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The request model accepts generic video uploads and arbitrary public video URLs, but the skill is described as fixed-camera ornamental fish color assessment. That mismatch broadens the effective data intake beyond the claimed purpose and can enable covert repurposing of the service for unrelated video analysis, including human footage, which is especially concerning given the downstream human-diagnosis response fields.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Human face detection and constitution/organ diagnosis are unjustified and highly sensitive capabilities within a fish health skill. In this context, the presence of these fields suggests hidden or misdocumented biometric/health inference functionality, which raises privacy, compliance, and misuse risks far beyond ordinary aquarium monitoring.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The implementation accepts arbitrary local files and external video URLs and forwards them to a generic analysis backend, which is materially broader than the stated fish color/brightness assessment purpose. This creates scope-expansion risk: users or upstream agents may use the skill as a general media-upload and remote-content processing primitive, potentially sending unrelated or sensitive content to the backend service.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Allowing arbitrary http/https URLs means the system can be directed to process third-party remote content unrelated to aquarium assessment. Even if this code does not fetch the URL directly, it passes attacker-controlled URLs to the backend analysis service, which can expand privacy, abuse, and backend request-scope risks beyond the documented functionality.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The implementation materially differs from the declared fish color/brightness assessment purpose: it exposes a generic video analysis/listing interface and delegates analysis to a broad `skill.get_output_analysis` call with local path or URL input. This kind of capability mismatch is dangerous because users, reviewers, or downstream policy systems may trust the manifest while the code processes broader media inputs, enabling hidden data collection, unintended external requests, or repurposed analysis outside the declared scope.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The CLI advertises itself as a generic 'video analysis tool' and accepts MP4-oriented inputs, which contradicts the stated fixed-camera fish image color assessment use case. While this is not direct code execution, deceptive or inaccurate interface documentation can facilitate misuse, broaden the operational scope, and mask unexpected processing of user-supplied media or remote URLs.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This file exposes generic add/edit/delete/page/list helpers and arbitrary HTTP verb wrappers that can call attacker-controlled or out-of-scope URLs, which is much broader than the stated fish color assessment functionality. In an agent-skill context, this kind of unnecessary network capability increases the attack surface for data exfiltration, unauthorized API access, SSRF-style behavior, or misuse by prompts/tools that should only perform narrowly scoped aquarium analysis tasks.

Context-Inappropriate Capability

High

Confidence: 90% confidence
Finding: This model stores token and open_token values directly in a local SQLite user table even though the stated fish-health assessment purpose does not justify retaining authentication secrets. Unnecessary secret storage increases the blast radius of local compromise, backup exposure, or accidental disclosure, especially in a consumer or shared-device aquarium deployment.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This utility contains account provisioning, token acquisition/refresh, DAO-backed token persistence, and payment-failure handling that are unrelated to a fish color analysis skill. Such hidden cross-domain capabilities expand the attack surface, can create or access platform accounts without clear user consent, and enable authenticated calls to external services using stored credentials.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The nested _get_or_create_user function can silently register or log in a user on an unrelated health platform using a username/mobile value as both openId and mobile, with register and silent flags enabled. For a fish-color assessment skill, this is unjustified and dangerous because it can create external identities and transmit personal identifiers without transparent user awareness.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code loads tokens from local DAO storage, mutates global token state, writes refreshed tokens back to persistent storage, and clears stored credentials on retry. Persisting and reusing authentication material in shared utility code increases the risk of credential leakage, cross-skill abuse, and unauthorized authenticated requests, especially when unrelated to the skill's stated function.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger phrases for history queries are broad enough that ordinary requests may unintentionally invoke cloud-backed retrieval behavior. This can lead to surprising remote data access and disclosure of historical reports when the user may only have been asking a general question.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill states that uploaded images or videos will be automatically saved locally, but it does not provide a clear upfront warning, retention rule at that step, or consent mechanism. Silent local storage of user media increases privacy and data-handling risk, especially for camera content captured in homes or facilities.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The instructions require sending an open-id to cloud history APIs, but do not clearly warn users that identifiers and report data will be transmitted to a remote service. This undermines informed consent and may expose account-linked behavioral or operational records beyond user expectations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The API documentation instructs clients to upload videos or provide public video URLs but gives no warning about privacy, retention, or the sensitivity of any captured content. Because the same document also exposes human face/health-analysis semantics, this omission is more dangerous in context: users may unknowingly transmit human biometric or health-related data to a remote server without informed consent or handling guidance.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code reads the entire local file and uploads it to an analysis API without any user-visible notice, confirmation, or data-handling disclosure in the skill flow. Because uploaded media may contain sensitive or unintended content, silent transmission to a remote service creates privacy and compliance risk, especially given the skill accepts generic media beyond the declared aquarium scenario.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The request path automatically attaches App-Id, access token, API key, authorization token, tenant code, skill metadata, and user name to outbound HTTP requests. Even if some logging is truncated, the code still transmits authentication and identity-related data to external endpoints without evident user-facing disclosure or minimization, creating privacy and misuse risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal