Plant Species Recognition Skill | 植物物种识别技能

Security checks across malware telemetry and agentic risk

Overview

This should go to Review because it is advertised as plant recognition but includes broader generic/health analysis, identity handling, cloud history retrieval, and local token persistence.

Install only after confirming you trust this publisher and are comfortable sending images or URLs, open-id/phone-like identifiers, and report history requests to the external service. Treat it as a broader cloud AI/health-analysis integration with account and token persistence, not as a narrow local plant identifier.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (36)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 89% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 89% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill instructs reading local configuration files to obtain an open-id/API-related credential before performing analysis. For a plant-recognition skill, pulling identifiers from local workspace files expands access to sensitive local data and creates a path for unintended credential harvesting or misuse.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Adding a history-report query/listing feature broadens the skill from image recognition into retrieval of prior user records from a backend service. In this context, that increases exposure of potentially sensitive historical analysis data and makes accidental cross-session or cross-user disclosure more plausible.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documented API is for generic video analysis via a '/common-analysis' endpoint, while the skill claims plant species recognition from images. This mismatch is dangerous because it can conceal undeclared data processing and cause users or integrators to send unrelated content to a service with materially different behavior than advertised.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The API accepts video files or video URLs and returns face detection and diagnosis-style results, not plant-species recognition from images. In the context of a plant-recognition skill, this indicates undocumented scope expansion into human analysis, which can mislead users and enable collection of sensitive human data under false pretenses.

Context-Inappropriate Capability

Critical

Confidence: 100% confidence
Finding: The response schema explicitly includes face detection and health/constitution assessment fields, which are highly sensitive and unjustified for a plant-species-recognition skill. This is especially dangerous because the skill context makes such biometric and health inference unexpected, increasing the risk of covert sensitive-data processing and regulatory noncompliance.

Context-Inappropriate Capability

High

Confidence: 91% confidence
Finding: The skill exposes a delete operation keyed only by a camera serial number, which is unrelated to the stated plant-species recognition function and suggests access to external device or record management capabilities. If an agent or caller can invoke this path without strict authorization and object-level checks, an attacker could delete records or device-associated data by supplying known or guessed camera identifiers.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The configured endpoints point to health-analysis and generic AI-analysis APIs rather than plant-species recognition functionality advertised by the skill metadata. This mismatch strongly suggests the skill may send user-provided images or metadata to an unrelated backend, creating a risk of deceptive data collection, privacy violations, and unauthorized processing under a false purpose.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The file comment identifies the component as a traditional Chinese medicine face-diagnosis analysis tool, which directly contradicts the plant recognition manifest. In context, this increases the likelihood that the skill is repurposed code or mislabeled functionality, making users and integrators believe plant images are being processed when the implementation may actually invoke medical/biometric analysis services.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The implementation behavior is materially inconsistent with the declared plant-species-recognition purpose: it accepts video inputs/URLs, invokes generic analysis endpoints, and processes health/common AI response structures. This kind of capability mismatch is dangerous because users may unknowingly send unrelated or sensitive media to a backend under a misleading plant-identification label, undermining consent, privacy expectations, and security review boundaries.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The report-listing logic exposes health/face-analysis fields such as healthAssessment and faceAnalysisResponse despite the skill being presented as plant species recognition. This creates a significant data-exposure and trust-boundary issue because users or integrators may retrieve or display sensitive human-analysis results through a skill that appears unrelated to personal or biometric-style data processing.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill accepts arbitrary remote URLs and forwards them as videoUrl even though its declared purpose is plant identification from images. This expands the attack surface by enabling unexpected remote resource processing, potential misuse of backend fetch behavior, and user confusion about what external content is being analyzed.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The implementation performs video analysis and history retrieval, which materially conflicts with the declared plant-species-from-images purpose. This kind of capability mismatch is dangerous because users and reviewers may grant the skill permissions or trust assumptions appropriate for benign image classification while the code actually processes different data types and may expose unrelated functionality.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The historical analysis listing feature is unrelated to the stated plant-recognition use case and may expose prior user activity or analysis outputs without clear necessity. In a mislabeled skill, hidden retrieval features increase the risk of unauthorized data access, privacy leakage, and user deception.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The docstrings and CLI interface repeatedly describe a video analysis tool, directly contradicting the published plant-image recognition description. This discrepancy is a strong indicator of repurposed or deceptive code and makes security review harder, because operators may misunderstand what data is collected, transmitted, and stored.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: This file implements a generic network service layer with broad CRUD and arbitrary HTTP methods that are not scoped to plant-species recognition functionality. In an agent skill context, such wrappers can be reused by higher-level code to contact unexpected endpoints or perform unintended remote actions, expanding the attack surface and enabling data exfiltration or unauthorized operations if untrusted inputs reach these methods.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: This shared configuration code reads user and platform identifiers from environment variables that are unrelated to plant-species recognition, expanding the skill's access to contextual identity data without clear necessity. In a reusable module, this can enable unnecessary collection or propagation of user identifiers across skills, increasing privacy risk and the chance of accidental leakage to logs, downstream APIs, or other components.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This file implements a generic DAO for sys_user records, including email, birthday, token, open_token, and source identifiers, which is materially unrelated to plant species recognition. Such hidden account/token persistence expands the skill's data-collection surface and creates privacy and credential-retention risk without a justified functional need.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code derives workspace paths, reads OPENCLAW_WORKSPACE, creates a data directory, and initializes a local SQLite database. For a plant image-recognition skill, this is an unnecessary capability that enables local state persistence and broader filesystem interaction than expected, increasing the chance of covert data retention or misuse.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This utility layer performs account discovery, remote login/registration, token issuance, and credential reuse logic that is unrelated to a plant-species recognition skill's stated purpose. Bundling hidden identity and authentication management into generic request helpers creates covert data flows, expands attack surface, and enables unauthorized remote account actions whenever the skill makes API calls.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The _get_or_create_user helper silently sends a username/mobile/openId to a remote /sys/phoneLogin endpoint with register=1, meaning API use can trigger account creation or login without explicit user approval. For a plant-identification skill, this is unjustified collection and transmission of identity data and could create accounts tied to user identifiers unexpectedly.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code persists and mutates token and openToken values through DAO save/update operations, storing credential state beyond what is necessary for simple plant recognition. Local persistence of reusable authentication material increases exposure to credential theft, session abuse, and unintended cross-session impersonation if the host environment is shared or compromised.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill includes recharge/payment workflow instructions and suggests installing another payment skill when API usage fails. This is unrelated to plant recognition and indicates hidden monetization or account dependency that can steer users into additional actions outside the stated skill purpose.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases for history report retrieval are broad and loosely scoped, so ordinary user language could unintentionally invoke backend record listing. Because this feature accesses historical data rather than just analyzing current media, accidental activation can expose report metadata the user did not explicitly request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal