Back to skill

Security audit

Crop Pest Identification | 经济作物虫害识别

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform crop pest analysis as described, but it also silently creates or reuses cloud-linked identities and stores authentication tokens locally, which needs user review before installation.

Install only if you are comfortable with local crop media or provided URLs being sent to the lifeemergence/open.lifeemergence service, and with the skill silently creating or reusing an internal account identity, reading workspace identity state, storing authentication tokens in a local SQLite database, and querying cloud report history for that identity. Review or clear the workspace data directory if you do not want persistent identity reuse across runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
80% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
78% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The manifest advertises no permissions while the skill instructions clearly require shell execution, local file handling, network access, and likely use of environment/config state. This under-declaration is dangerous because reviewers and users cannot accurately assess the real trust boundary, and the skill processes user-supplied files/URLs and sends them to remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is narrow pest identification, but the described behavior extends to account creation/login, internal identity resolution, local token reuse, historical report retrieval, and generic backend forwarding. This mismatch is dangerous because it conceals sensitive identity, persistence, and remote-account behaviors that materially expand privacy and security risk beyond what a user would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The history-listing capability exposes prior analysis records via `skill.get_output_analysis_list(open_id=open_id)`, which expands the feature beyond on-demand processing of user-supplied media. In a media-analysis context, historical outputs may contain sensitive agricultural, operational, or user-associated data, and exposing them without strong authorization boundaries can enable unintended information disclosure.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This helper exposes broad generic CRUD and arbitrary HTTP request methods that are not constrained to the stated pest-identification use case. In an agent skill that may process user-supplied URLs, files, and parameters, such unrestricted wrappers increase the attack surface for unintended remote actions, data exfiltration, or abuse by other parts of the skill stack.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file implements generic CRUD for local user/account persistence, including update and delete operations, which is outside the declared crop pest identification purpose. Capability drift increases the attack surface and creates unnecessary handling of personal and account-linked data in a skill that should mainly process pest-analysis media.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The User model stores identity and authentication-related fields including username, realname, email, token, and open_token, none of which are needed for pest identification. Retaining tokens in a local SQLite database materially raises the impact of compromise, enabling account takeover or cross-service abuse if the database is read by another component or leaked.

Intent-Code Divergence

Low
Confidence
74% confidence
Finding
The documentation describes a lightweight local CRUD wrapper, but the implementation also detects agent context and forcibly redirects database paths into a shared workspace data directory across skills. That cross-skill storage behavior is security-relevant because it can broaden data exposure boundaries and undermine isolation assumptions between unrelated skills.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This utility code creates, resolves, and persists user identities independently of the crop-pest analysis function, including reading an identity from a workspace file and generating fallback identities stored in a local database. That materially expands the skill's scope and enables silent identity binding and persistent account use without clear user consent, which is risky in an image-analysis skill where users would not reasonably expect account provisioning behavior.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The HTTP helper silently performs user lookup, auto-registration/login, token acquisition, token refresh, and local token persistence before making ordinary API calls. For a pest-identification skill, this is dangerous because arbitrary invocations of a general network helper can trigger hidden account actions and long-lived authentication state, increasing privacy, abuse, and unauthorized service-consumption risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill auto-triggers history-report queries from broad natural-language phrases without clear exclusions or confirmation. In context, this can cause unintended retrieval of cloud-stored user reports and disclosure of report metadata or links when a user is only discussing reports rather than requesting access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description says the skill analyzes local files or URLs via server-side APIs, but it does not clearly warn users that their local media or referenced remote content will be transmitted to an external service. This omission is dangerous because users may unknowingly send sensitive images, metadata, or private URLs off-platform.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script resolves an internal user identity via `OpenIdUtil.resolve_current_open_id(...)` without clearly informing the user that identity context is being derived and used. In a skill that can list prior analysis results, this hidden identity coupling can expose or retrieve data tied to an internal account boundary, creating a privacy and authorization risk if users are unaware of which identity is in effect.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill reads arbitrary local file contents and submits them to a server-side analysis service, but this file shows no user-facing consent, disclosure, or trust boundary messaging before transmission. In a skill handling local media and remote URLs, that can lead to unintended exfiltration of sensitive local content or metadata to external services, especially if users assume processing is local.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code reads a sensitive identity value from data/smyx-api-key.txt and uses it as an internal identity source without any user-facing disclosure. In this skill context, that can silently cause requests to be attributed to a workspace-level identity unrelated to the current user, creating privacy, consent, and cross-session attribution risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code automatically sends identity fields such as openId and mobile to a remote login/registration endpoint with silent/register flags set, without visible disclosure at the point of use. In a crop-image analysis skill, such hidden transmission is especially concerning because users expect media analysis, not background account enrollment or identity submission to external services.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
88% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2