心理健康分析工具

Security checks across malware telemetry and agentic risk

Overview

This skill offers a plausible cloud mental-health video analysis workflow, but it handles sensitive videos, user identifiers, report history, and local tokens with insufficient scoping and disclosure.

Review carefully before installing. Use only with videos you are authorized to share, avoid using API keys or shared placeholders as open-id values, and assume submitted videos, identifiers, report history, and derived mental-health results may be sent to and stored by the remote service. The token/account persistence behavior should be clarified or removed before routine use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (27)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 85% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 84% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The instructions explicitly tell the agent to read a config file's api-key and use that secret as the user's open-id, conflating an authentication credential with a user identifier. This can leak or misuse service credentials, cause cross-user data mixups, and result in reports being queried or stored under an administrative/shared secret rather than the real user identity.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: Although the examples say the placeholder is prohibited, they still repeatedly demonstrate using openclaw-control-ui as the open-id. In practice, examples strongly shape agent behavior, so this can lead to reuse of a shared/default identifier, causing report mixups, unauthorized access to another user's history, or accidental persistence under a non-user account.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The file exposes generic record-management operations such as page, list, add, edit, and delete that go beyond the stated purpose of psychological analysis and report generation. In a mental-health skill, undocumented CRUD functionality expands the attack surface and may enable unauthorized manipulation of sensitive analysis records or related device-linked data if upstream authorization is weak.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The delete method removes data based on a camera identifier, which is not obviously necessary for mental-health analysis and suggests coupling to surveillance/device records. If exposed to untrusted callers or weakly authorized, an attacker could delete camera-associated analysis records or operational data, causing loss of evidence, service disruption, or concealment of misuse involving sensitive mental-health monitoring.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The function `show_analyze_list(open_id, ...)` retrieves prior psychology-analysis records for a supplied user identifier, which exceeds the narrowly described purpose of analyzing a provided video. Because these records concern mental-health inferences, unauthorized enumeration or overbroad access can expose highly sensitive history and create a significant privacy breach.

Description-Behavior Mismatch

Low

Confidence: 78% confidence
Finding: The implementation accepts arbitrary remote URLs and forwards them for analysis, but this network-fetching behavior is not clearly disclosed by the skill description. Allowing arbitrary URLs can expand the trust boundary, potentially enabling unexpected third-party data transfer or misuse of internal/secret URLs depending on how downstream fetching is implemented.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill is ներկայացված as a psychological and mental-health analysis tool, but the documented API response returns physical/constitution-style diagnosis fields such as organ condition and complexion. This mismatch can mislead integrators and users about what the system actually does, causing inappropriate reliance on outputs in a sensitive health context and increasing the risk of deceptive or unsafe deployment.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The documented behavior materially conflicts with the manifest’s stated purpose: instead of psychological analysis, it appears to generate physical/constitution or organ-related diagnosis from video. In a mental-health skill, this is especially dangerous because users may submit sensitive personal data and receive medically themed conclusions unrelated to the promised capability, which can undermine informed consent and lead to harmful decisions.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill exposes a report-listing function that can enumerate prior analysis records, which goes beyond the stated purpose of analyzing a supplied video. Because this is a psychology/mental-health analysis skill, listed reports may contain highly sensitive personal inferences or identifiers, making unintended access to historical records a meaningful privacy and data-exposure risk.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script exposes a history-listing function for prior analysis records based only on an open_id-style identifier, which expands the skill from single-use analysis into retrieval of potentially sensitive historical mental-health outputs. In the context of a psychology-analysis skill, this is more dangerous because the returned records may contain highly sensitive behavioral or health inferences, increasing privacy and unauthorized-access risk if identity validation is weak upstream.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: This file exposes generic HTTP methods and CRUD-style wrappers that can send requests to arbitrary caller-supplied URLs, which is broader than the declared psychology-analysis purpose. In an agent skill context, this creates a capability for unintended outbound network access, data exfiltration, or use as a proxy to interact with unrelated services if higher-level skill logic passes untrusted or attacker-influenced URLs.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The manifest describes a mental-health video analysis/reporting skill, but this code implements a reusable remote API service layer rather than task-specific analysis logic. That mismatch is dangerous because it hides broad network capability behind a benign-seeming skill description, reducing transparency and making misuse or over-privileged behavior harder to detect during review.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The file adds a generic `ai_chat` capability that is not constrained to the declared psychology/video-analysis purpose. Broad, reusable agent-invocation surfaces increase the chance of prompt abuse, unintended external actions, or capability expansion beyond the skill's stated trust boundary, especially if later the commented command execution is re-enabled.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: This utility layer goes beyond simple psychological analysis support and performs account discovery/creation, token acquisition, and token persistence. That creates an unexpected identity and credential management surface: a caller can trigger remote account provisioning tied to a username/openId and store resulting tokens locally, which is materially broader than the declared skill purpose and increases risk of unauthorized account use and silent data handling.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The code can create a user via `/sys/phoneLogin`, hydrate a local user model, and save token-bearing records without any visible authorization gate in this file. In a mental-health analysis skill, silent user creation and persistence are especially sensitive because they can associate highly sensitive behavioral data with identities and credentials outside the user’s expectations.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The automatic trigger phrases for history-report retrieval are broad enough to match ordinary conversation, which can cause unintended cloud queries for sensitive mental-health report history. In this context, accidental retrieval is more dangerous because the data concerns psychological assessments and linked report URLs, increasing privacy exposure.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill says uploaded videos are automatically saved as local files, but it does not provide a clear user-facing privacy notice, retention policy, or consent step. Because these videos may contain biometric and mental-health-related data, silent local persistence materially increases the risk of unauthorized access, secondary use, or retention beyond user expectations.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The workflow describes sending videos and open-id values to a cloud API for psychological analysis, but it does not prominently warn users that highly sensitive biometric and mental-health data will leave the local environment. This is especially dangerous in a mental-health context because users may not expect remote processing, storage, or linkage of assessments to an identifier.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This skill processes video for psychological/mental-health analysis and sends it to an external API path via `skill.get_output_analysis(...)`, yet there is no explicit privacy warning or consent flow before transmitting highly sensitive personal data. Mental-health inferences are especially sensitive, so silent external transmission increases legal, ethical, and confidentiality risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code uses `open_id` to retrieve analysis records from a remote service without any visible privacy notice, consent step, or access-control verification in this file. Since `open_id` may be a username, phone number, or other identifier, misuse could expose sensitive psychology-analysis history linked to a real person.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The API documentation encourages uploading videos or supplying public video URLs, which are likely to contain highly sensitive biometric and behavioral data, but it provides no warning about privacy, retention, third-party access, or consent requirements. In the context of mental-health analysis, this makes the issue more serious because the collected media may reveal identity, emotional state, and health-related attributes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The response schema presents diagnostic-style health conclusions and recommendations without any disclaimer that the output may be inaccurate, should not replace professional evaluation, or could affect user decisions. Because the skill is framed around psychological or health analysis, users may over-trust the output and act on unvalidated recommendations, creating safety and liability risks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script requires a highly sensitive identifier (--open-id) and initiates remote analysis without any explicit privacy notice, consent flow, or visible safeguards around transmission of user-linked video and inferred psychological data. In a mental-health analysis context this is especially sensitive, because combining identity with video-derived behavioral inferences can expose protected or stigmatizing personal information if mishandled.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal