S2 零隐私老人守护者智能体

Security checks across malware telemetry and agentic risk

Overview

This elder-care skill matches a fall-monitoring purpose, but it stores and may transmit sensitive activity and health data with weak disclosure, consent, and retention controls.

Review carefully before installing. Use only with explicit consent from the monitored person or their authorized caregiver, point S2_BUS_ENDPOINT only to a trusted internal service, and add pseudonymous identifiers, restrictive file permissions, retention/deletion controls, and clear access rules before any real elder-care deployment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill markets itself as a 'zero privacy' elderly sentinel, but explicitly instructs persistent local recording of gait-decline data for future medical research. In an elderly-care monitoring context, this is sensitive health/behavioral data, so undisclosed retention materially increases privacy and compliance risk and could mislead operators into deploying a surveillance-like function under a privacy-preserving label.

Scope Creep

Medium

Confidence: 87% confidence
Finding: The manifest grants write access to `s2_bas_governance/elderly_care/*`, while the instructions reference a different sandbox location `elderly_care/`. This mismatch can cause writes to occur outside the user-expected path, undermining data containment guarantees and making sensitive elderly-care records harder to audit or delete correctly.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill advertises 'zero privacy' elderly monitoring but persistently writes identifiable activity logs containing timestamps, subject alias, event type, and source DID to local disk. In a health-monitoring context, this creates sensitive behavioral records that can be accessed, retained, or repurposed beyond the stated alerting function, making the privacy claim materially misleading and dangerous.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The comment frames local directory creation as making permission use 'legitimate,' but the code still expands its behavior from transient fall detection into undeclared on-disk persistence. That mismatch is risky because it normalizes silent scope creep and can mislead reviewers or operators about what data the agent actually stores.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The dashboard binds a persistent DID and elderly name directly into health-monitoring views and API paths, creating identity-linked exposure of sensitive medical and behavioral data. In an elderly-care context, this is especially dangerous because the skill claims 'zero privacy' while presenting continuous surveillance outputs, increasing the risk of overcollection, unauthorized disclosure, and misuse of highly sensitive personal data.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The dashboard goes beyond fall detection by exposing sleep monitoring, restlessness, bed-exit behavior, and semantic ADL logs, which materially expands surveillance beyond the declared purpose. This scope creep is dangerous because it collects intimate lifestyle and behavioral data about a vulnerable population, creating privacy, profiling, and secondary-use risks unrelated to the stated safety function.

Context-Inappropriate Capability

High

Confidence: 91% confidence
Finding: Displaying 'door unlocked (Fail-Open)' signals linkage to physical access-control state, which conflicts with the stated non-physical-execution health sentinel scope. In this context, exposing or normalizing fail-open door behavior can aid unauthorized access, reveal unsafe emergency configurations, and indicate hidden coupling between health events and building security controls.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes local recording of elderly gait-decline data without any user warning, consent flow, retention notice, or privacy impact statement. Because this is health-adjacent monitoring data about a potentially vulnerable population, silent retention materially raises privacy, legal, and misuse risks even if the system avoids cameras or direct actuation.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code stores sensitive elderly activity logs to disk without any consent flow, warning, access controls, or retention management. Because this is health-adjacent monitoring of a potentially vulnerable subject, even routine activity records can expose private behavioral patterns and create compliance and abuse risks if the host is shared or compromised.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The agent sends fall alerts to an externally configured endpoint without explicit notice, consent, endpoint validation, or transport safeguards beyond whatever URL is supplied in the environment. In this context, alerts reveal a subject alias and medical-emergency inference, so misconfiguration or abuse of the endpoint can leak sensitive health information to unauthorized recipients.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal