婴儿智能安全看护技能

Security checks across malware telemetry and agentic risk

Overview

This baby-safety skill needs review because it handles sensitive infant media and identifiers through cloud, account, history, and payment-related flows that are not clearly scoped or disclosed.

Install only after reviewing the publisher and confirming you are comfortable sending infant/home media, URLs, identifiers, and possibly tokens to the provider’s backend. Do not rely on this as the sole child-safety control. Ask for clear documentation on what is uploaded, how reports are authorized, retained, and deleted, why account/payment/history features are bundled, and whether face or health-analysis processing is actually involved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (24)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill expands from real-time infant-risk analysis to cloud-backed historical-report queries and automatic local file saving. In a context involving infant images/videos, this broadened data flow increases privacy risk and may surprise users who only expected transient analysis rather than storage and retrieval features.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The open-id flow instructs the skill to read local configuration files and repurpose an api-key field as a user identifier. Using credential-like configuration data for identity lookup is an overreach from the stated monitoring purpose and risks accidental misuse of secrets or cross-account access.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The documentation forbids reading local memory files but then authorizes reading local configuration files to obtain an api-key/open-id. This inconsistency weakens trust boundaries and may normalize accessing local sensitive files despite presenting the skill as privacy-constrained.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The referenced API does not match the stated infant safety monitoring purpose: it exposes a generic analysis endpoint that returns face detection and health/constitution diagnosis data instead of infant hazard detection results. This mismatch is dangerous because it suggests the skill may send sensitive infant video to an unrelated service, misleading users about what is being processed and increasing the risk of inappropriate medical-style inference and privacy misuse.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The implementation is a generic file/video analysis and report-retrieval client, not an infant-safety-specific monitor as advertised. This mismatch is dangerous because operators may rely on the skill for real-time infant hazard detection and alerts, while the code only uploads content for backend analysis and formats returned reports, creating a false sense of safety in a high-risk childcare context.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The comment claims open_id is only for local identification and should not be sent to the API, but the code merely pops it from argss in one helper and does not verify that equivalent sensitive identifiers are excluded elsewhere. This kind of comment/code mismatch can lead to accidental disclosure of user identifiers to remote services or downstream methods when future changes reuse parameters inconsistently.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: This file exposes generic HTTP GET/POST/PUT/DELETE wrappers that can call arbitrary URLs, which is substantially broader than the declared infant safety monitoring purpose. In a safety-sensitive skill that may process infant-related telemetry or images, this broad network capability increases the risk of data exfiltration, unauthorized third-party communications, or later abuse by other components.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The code provides generic page/list/add/edit/delete operations rather than narrowly scoped infant safety monitoring actions. This mismatch between manifest and implementation expands the skill's operational surface and can enable unintended data access or manipulation paths unrelated to the user-visible purpose.

Description-Behavior Mismatch

High

Confidence: 89% confidence
Finding: This file implements generic CRUD operations over a local sys_user table, including token-bearing user records, which is materially outside the declared infant safety monitoring purpose. In an agent skill, unnecessary account and token persistence expands the attack surface, increases sensitive-data retention risk, and creates capabilities that could be abused if exposed through other parts of the skill.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: This utility implements broad HTTP access, token injection, credential retry logic, and identity/account lifecycle behavior that goes well beyond infant safety monitoring. In the context of a baby-monitoring skill, such generic backend control materially expands the attack surface and enables undisclosed data transmission or account actions unrelated to the stated purpose.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code automatically performs a phone-login style registration flow with "register": 1 and sends user identifiers to a remote service, potentially creating accounts without explicit user approval. For an infant safety skill, covert account creation is unrelated to core monitoring functionality and risks privacy, unauthorized identity operations, and backend abuse.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The utility contains billing and recharge handling that instructs users to install a payment skill and top up an account, which is unrelated to infant monitoring logic. Embedding payment workflow prompts inside a shared request path creates hidden monetization behavior and can steer users into financial actions not expected from a safety-monitoring feature.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger conditions are broad enough to auto-activate on essentially any infant-related video submitted for safety analysis. Because the skill can save media locally and send data to a backend, over-broad invocation increases the chance of unintended processing of highly sensitive child footage.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Automatic history lookup based on broad natural-language phrases can trigger retrieval of prior reports without strong scope checks. In this context, that may expose sensitive infant safety reports and associated account data when the user intended only a general question or partial phrase match.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill does not clearly warn that infant videos/images and user identifiers are sent to a cloud API and may be retained for historical reporting. Given the extreme sensitivity of child media and safety-event data, omission of this disclosure undermines informed consent and raises serious privacy and compliance concerns.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation says attachments or media may be automatically saved as local files but does not prominently warn users about local persistence. Silent local copying of infant images/videos increases exposure through disk retention, backup systems, and access by other local processes or users.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script requires an --open-id value and stores it in process-wide state without any user-facing notice about how that identifier will be transmitted, used, retained, or protected. In this skill’s context, the identifier is tied to infant safety monitoring activity, which can reveal sensitive household and child-related usage patterns, so silent collection increases privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The API documentation instructs users to upload videos or provide public video URLs but gives no warning about privacy, data transmission, or the sensitivity of infant footage. In the context of infant monitoring, this is especially dangerous because videos may capture minors, bedrooms, routines, and caregivers, creating substantial privacy and safety risks if transmitted insecurely, shared publicly, or retained without clear notice.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code reads the full local file and sends it to a remote analysis service without any consent prompt, disclosure, or visible privacy notice at this layer. Because the stated use case involves infant video, the uploaded content is especially sensitive and may contain children, homes, and other personal information, increasing privacy and compliance risk.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: User-supplied remote URLs are forwarded directly to the analysis backend without warning the user that the third-party service will fetch or process that URL. While the server-side request behavior happens on the backend rather than in this file, the lack of disclosure still creates privacy and trust issues, especially if URLs embed tokens or point to private infant-monitoring footage.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The CLI accepts local files or remote video URLs and sends them for analysis via a backend skill/API flow, but it does not clearly warn users that sensitive infant video content may leave the local environment. In the context of infant-safety monitoring, this is more dangerous because the data is likely highly sensitive and may contain children, bedrooms, and household interiors, creating meaningful privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The constructor performs an unconditional ALTER TABLE on startup, changing schema state automatically without migration controls, operator review, or compatibility checks. In production this can cause integrity issues, startup failures, or unexpected data-handling changes, especially when the skill is installed in environments where the database is shared or preexisting.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Requests automatically attach user identifiers and multiple tokens in headers/body and transmit them to remote endpoints without any visible user-facing disclosure in normal operation. In a skill handling potentially sensitive household and infant-related context, silent transmission of identifiers and credentials increases privacy and misuse risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The helper performs automatic account lookup and registration over the network with no clear notice, opt-in, or separation from ordinary skill execution. Hidden identity operations are especially problematic here because users would reasonably expect infant safety analysis, not account provisioning side effects.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal