Workplace Group Stress Heatmap | 职场员工压力群体热力图

Security checks across malware telemetry and agentic risk

Overview

The skill is framed as anonymous workplace stress heatmaps, but the artifacts show identity-linked cloud use, local token/profile persistence, broad video ingestion, and mismatched health-analysis behavior.

Do not install this without a privacy and security review. Confirm exactly what video is uploaded, what backend model runs, whether individual health/face outputs are disabled, how open-id and tokens are stored, who can retrieve historical reports, and replace the unresolved yaml dependency with PyYAML or remove it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (35)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 86% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 86% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises no declared permissions, yet its documented behavior requires environment access, local file read/write, network access, and shell execution. This gap prevents reviewers and policy engines from understanding the true attack surface, increasing the chance that sensitive files, credentials, or local data are accessed without informed approval.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill claims to provide anonymous group-level stress heatmaps, but the documented workflow adds user login/registration, token persistence, arbitrary file/URL ingestion, and cloud history/report retrieval. That mismatch is dangerous because operators may approve the skill for low-risk anonymous analytics while it actually introduces account-linked tracking, broader data collection, and expanded exfiltration paths.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: Although outputs are described as anonymous and group-level, reports are tied to a user-specific open-id and historical cloud records can be queried later. Linking supposedly anonymous analytics to a stable identifier undermines anonymity claims and creates a reidentification or activity-tracking risk over time.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill states it does not identify individuals, but the mandatory open-id flow explicitly instructs collection of a username or phone number before operation. Requiring direct personal identifiers contradicts the anonymity claim and can turn workplace monitoring into identity-linked surveillance with significant privacy and compliance consequences.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The history-report retrieval feature expands the skill beyond immediate anonymous heatmap generation into persistent cloud record access. This increases privacy exposure and abuse potential because historical workplace stress outputs can be mined, correlated, or shared in ways not justified by the narrowly stated purpose.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The documentation simultaneously promises anonymity and instructs operators to collect a username or phone number as open-id for use and report access. This is a clear deceptive-data-handling issue: users and reviewers may believe the system is non-identifying when it actually requires personally identifying account data.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The analysis method injects a default petType parameter into requests for a workplace stress-analysis skill, which is inconsistent with the declared purpose and strongly suggests code reuse or hidden alternate behavior. In a surveillance-oriented workplace context, unexplained parameter injection is risky because it can alter backend model selection or route data to unintended processing logic, undermining transparency, policy compliance, and trust in what the system is actually analyzing.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill claims to perform anonymous, group-level workplace stress analysis, yet it requires an `open-id` and uses that identifier to retrieve analysis history. This creates a contradiction between the privacy claim and the implementation, and can enable linkage of sensitive workplace-health inferences to a user account or operator identity, undermining anonymity and increasing privacy/compliance risk.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The workplace-stress skill still exposes a `pet_type` parameter with `cat`/`dog` options, showing code reuse from an unrelated domain and suggesting the implementation may not match the claimed safety/privacy behavior. In a sensitive biometric surveillance context, such mismatches are dangerous because they indicate poor assurance, weak validation, and increased likelihood that inputs are routed to the wrong model, logged incorrectly, or handled outside intended controls.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documented response describes individual-level face detection plus traditional-medicine-style health and organ-condition inferences, which materially conflicts with the stated purpose of anonymous group stress heatmaps. This mismatch is dangerous because it suggests undisclosed collection and inference of sensitive biometric and health-related data beyond the skill's declared scope, creating privacy, compliance, and trust risks.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The API accepts arbitrary uploaded videos or public video URLs and returns individual diagnostic results, not anonymous office-zone stress heatmaps as promised. That discrepancy indicates either undocumented functionality or a repurposed backend, both of which can enable unauthorized processing of identifiable video and sensitive inferences outside user expectations and approved use.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Inferring constitution, organ condition, and personalized health advice is far beyond a workplace stress-heatmap function and enters sensitive health-diagnosis territory. In an enterprise office monitoring context, this is especially dangerous because employees may be subjected to covert or non-consensual health-style profiling derived from facial video, increasing legal, ethical, and discrimination risk.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code accepts arbitrary http/https URLs and forwards them to the backend as videoUrl without any allowlisting, origin validation, or restriction to the declared fixed-camera enterprise deployment model. In a workplace video-analysis skill, this broadens collection to potentially any reachable remote video source and can enable misuse for analyzing unauthorized third-party footage, creating significant privacy, policy, and potential SSRF-like backend fetch risk depending on how the downstream service retrieves the URL.

Description-Behavior Mismatch

Low

Confidence: 81% confidence
Finding: The skill includes report listing and export-link construction capabilities beyond simple heatmap generation, which increases exposure of previously generated analysis artifacts. If access control is weak elsewhere, these helper functions make bulk discovery and retrieval of sensitive organizational stress-analysis reports easier, expanding the data-access surface beyond the manifest's stated purpose.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The manifest claims anonymous, group-level workplace stress heatmaps, but the code requires an `open-id` and exposes history retrieval keyed to that identifier. This creates a clear mismatch between the stated privacy-preserving purpose and an implementation capable of tying analysis activity to a specific user, increasing the risk of employee tracking, access to user-scoped records, or repurposing sensitive behavioral data.

Description-Behavior Mismatch

Medium

Confidence: 81% confidence
Finding: The implementation is a generic video-analysis wrapper that forwards arbitrary inputs to `skill.get_output_analysis(...)` rather than enforcing the narrowly described office stress-heatmap use case. In a surveillance-sensitive context, this gap matters because a broad video-analysis client can be reused for unrelated or more invasive analysis than users or reviewers would expect from the manifest.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The code accepts arbitrary remote video URLs even though the skill is described as processing fixed enterprise camera feeds. Allowing unrestricted URLs expands the trust boundary and enables analysis of external or unapproved footage, which increases privacy, compliance, and misuse risk in a system already centered on sensitive workplace monitoring.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The file defines a generic User model and DAO that persist usernames, email, birthday, age, sex, and tokens, which is unrelated to a skill described as producing only anonymous group-level office stress heatmaps. This data-collection capability materially expands the privacy and abuse surface and undermines the claimed data minimization model.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The manifest claims the system is anonymous and does not identify individuals, but this code stores directly identifying profile data and authentication-like token fields in a local database. That mismatch is dangerous because users and administrators may rely on false privacy assurances while the implementation retains linkable personal and credential-related data.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The module header presents this as a lightweight local database wrapper, but the implementation includes persistent identity and token storage inconsistent with the stated anonymous analytics use case. Misleading documentation is a security/privacy concern because it obscures the real data handling behavior and can prevent proper review, consent, and controls.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The utility performs account provisioning, token acquisition, and local persistence of user profile/authentication data even though the skill is described as anonymous, group-level stress heatmap analysis. This expands the data-handling surface from anonymous analytics to authenticated identity-linked operations, creating unnecessary privacy, consent, and credential-handling risk if reused by the skill or compromised.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The helper function sends phone/openId-style identifiers to a health endpoint to silently log in or register a user, which is unrelated to the stated purpose of anonymous workplace stress heatmaps. Silent registration/login without clear need or user awareness is dangerous because it enables covert identity linkage and backend account creation from a supposedly anonymous workflow.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code stores tokens, open tokens, and user profile-derived data through the DAO layer after auto-provisioning an account. Persisting credentials and profile data is unjustified for an anonymous group analytics skill and increases the blast radius of compromise through credential theft, cross-session tracking, and unintended retention of personal data.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal