Universal Home Space Parser Engine （智能家居空间场景解析器）

Security checks across malware telemetry and agentic risk

Overview

The skill openly provides a local smart-space parser plus MCP demo and plaintext causal-event logging, but it should not be treated as production-safe physical-control software.

Install only for controlled local experimentation. Do not connect it to real smart-home or facility actuators without adding explicit authorization, confirmation, truthful execution status, safety checks, and log retention controls. Replace the manual's shell exec example before exposing any web API, and review or disable the JSONL logging if action parameters or environmental data could reveal private behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The deployment guide introduces a shell-based bridge using child_process.exec to invoke Python from a web API. In a skill whose stated purpose is space parsing plus a local MCP server/logging, adding shell execution materially expands the attack surface and can enable command injection or arbitrary process execution if inputs or paths are manipulated.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The美容院 entry explicitly states that no visual cameras may be deployed, yet the same object is still classified under the visual sensing category. That inconsistency can mislead downstream code, policy engines, or integrators into treating a prohibited sensing capability as available, creating a real privacy-control bypass risk in a skill that models physical surveillance-related hardware.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The tool advertises secure physical execution, but it never performs any real actuation or verifies device state; it hard-codes SUCCESS and fabricated before/after telemetry. This can mislead upstream agents or operators into believing safety-critical actions occurred, creating unsafe automation decisions, false audit trails, and training data corruption.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The example constructs a shell command with user-controlled input: execAsync(`python3 ${pythonScriptPath} --space "${space}"`). Because exec runs via a shell, an attacker can potentially inject shell metacharacters through the space parameter and achieve arbitrary command execution in the context of the server process.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code appends arbitrary causal event data to a local JSONL training dataset file and only emits an internal log message, with no user-facing notice, consent, minimization, or review step. In the context of an MCP-integrated skill that explicitly advertises data harvesting for world-model training, this creates a real privacy and data-governance risk because user or environmental data may be persistently collected without meaningful disclosure.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The comments, class naming, and log strings explicitly frame the component as a 'data harvester' and 'world model' training collector, but there is no corresponding consent, choice, or policy enforcement in the implementation. Because the skill also has disk-write capability and local server integration, the surrounding context makes this more dangerous: it suggests the component can continuously accumulate potentially sensitive interaction or state data for later model training without user awareness.

Missing User Warnings

High

Confidence: 94% confidence
Finding: This tool exposes an action interface for physical operations and persistent causal logging without any confirmation, authorization, policy check, or explicit consent for environmental impact and data retention. In the context of an MCP server callable by external agents, this increases the risk of unauthorized actuation, unsafe automation, and silent collection of occupancy/environmental data.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The function is designed to persist full action/state histories for future model training, including occupancy and environmental state, without minimization, retention limits, or privacy controls. In a smart-space context, such histories can reveal behavioral patterns, location usage, and sensitive operational details if accessed or repurposed.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The resource exposes recent causal event logs directly to agents with no visible access control, filtering, or sensitivity review. Even the sample events disclose operational security and environmental transitions, which in a real deployment could leak occupancy routines, security posture, or other sensitive context to unauthorized consumers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal