Back to skill

Security audit

Crop-Specific Disease Database | 经济作物专属病害库

Security checks across malware telemetry and agentic risk

Overview

This crop-disease skill mostly matches a cloud analysis tool, but it silently creates or reuses account identity, reads and stores local tokens, and uploads media/history requests with limited user control.

Install only if you are comfortable with a cloud-backed skill that may upload crop images/videos or submitted URLs, query cloud history, create or reuse a local identity, and store service tokens in a workspace SQLite database. Avoid using it with private media or shared workspaces until the publisher documents retention, token handling, and confirmation controls more clearly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs use of shell execution, local file handling, network access, and implicit identity handling, but declares no permissions or trust boundaries. This creates a capability mismatch that can lead to over-privileged execution, silent data exfiltration, or unsafe operator assumptions about what the skill is allowed to do.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implementation materially diverges from the declared skill purpose: instead of narrowly performing crop leaf-disease recognition, it accepts arbitrary local files or remote URLs for generic analysis submission. This broadens the skill's effective capability and can mislead users into sending unintended data to a backend service, creating a significant scope/consent and data-exfiltration risk.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill exposes report listing and export-link generation features that are outside the stated disease-identification function. Extra data-access functionality increases the chance of unauthorized report discovery or sharing, especially if upstream access control is weak or callers do not expect this skill to enumerate historical analysis artifacts.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation behavior materially conflicts with the declared skill purpose: instead of crop-specific leaf-disease recognition, it performs generic video analysis and history listing via a remote skill object. This kind of capability mismatch is dangerous because users and orchestrators may grant inputs, permissions, or trust based on the manifest, while the code actually transmits different data and performs unrelated operations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The inline documentation and CLI text explicitly present the tool as a video-analysis utility, contradicting the published crop-disease-analysis description. This inconsistency increases the risk of deceptive deployment, operator confusion, and inappropriate data sharing, because users may invoke the skill expecting plant analysis while providing media to an unrelated remote workflow.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file exposes a broad, generic API wrapper that can issue arbitrary GET/POST/PUT/DELETE requests and generic CRUD actions, which is far beyond the stated purpose of a crop-specific leaf disease analysis skill. In an agent setting, this kind of overbroad capability increases attack surface and can be repurposed to access or modify unrelated backend resources if any untrusted input can influence the target URL, parameters, or payloads.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The get_user_by_username capability introduces user-account lookup functionality that is unrelated to crop disease recognition and may enable account enumeration or unauthorized access to identity-related data. Because the skill context is agricultural disease analysis, the presence of identity lookup is especially suspicious and unjustified, making misuse more dangerous rather than less.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file defines persistent user/account data handling, including identity fields and token storage, which is materially unrelated to a crop-specific disease-recognition skill. Such scope mismatch is dangerous because it introduces hidden data-collection and persistence capabilities that expand attack surface and can enable unnecessary retention of sensitive user information.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The User model persists authentication- and identity-related fields such as username, email, token, and open_token despite the skill being described as plant disease analysis. Storing these values without a clear functional need increases the risk of credential/token leakage, privacy violations, and unauthorized reuse if the local database is accessed by other components or compromised.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code initializes and mutates a shared local SQLite database for a skill whose stated purpose is disease-library expansion and image-based recognition. Unnecessary persistence is risky in this context because it creates durable state, potential cross-skill data exposure in the shared workspace data directory, and a place to retain sensitive data beyond user expectation.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This utility file contains broad workspace discovery, directory creation, identity resolution, API-key file reading, and local account persistence that materially exceed the stated crop-disease analysis purpose. Such hidden capability expansion increases attack surface and can let a seemingly narrow skill access unrelated local resources and establish persistent identities without clear user expectation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The request helper performs authenticated outbound API calls, auto-loads tokens, and can trigger account creation/login flows, which is far beyond the declared purpose of expanding a leaf-disease recognition library. In context, this mismatch is especially concerning because users would reasonably expect an offline/domain-specific classifier, not a component that transmits identity and operational data to external services.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads a local API-key identity file and falls back to creating and persisting synthetic user identities in a local database, behavior unrelated to crop-disease recognition. This can silently bind the skill to local credentials or create durable identifiers, enabling unintended tracking, impersonation of a local user context, or unauthorized use of linked services.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The history-report trigger phrases are broad enough that ordinary user language could cause automatic invocation of cloud report queries without clear confirmation. In a skill that auto-associates identity and fetches prior reports, this increases the risk of unintended access to potentially sensitive historical data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs automatic saving of uploaded attachments to local storage, but does not provide a clear user-facing notice about retention, location, duration, or cleanup. Silent persistence of user-supplied files can expose sensitive data to other processes, future sessions, or accidental leakage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads arbitrary local file contents into memory and submits them, or forwards a user-supplied remote URL to the analysis service, without any visible disclosure, confirmation, or data-handling warning in this file. In a skill presented as plant-disease recognition, that hidden transfer behavior can lead to accidental leakage of sensitive files or remote-resource abuse if users assume only narrow image processing is occurring.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code accepts a hidden API key parameter and sends user-provided local paths or URLs to remote analysis functions without clear disclosure in the CLI help. Hidden credential and network-use behavior is risky because users may unknowingly transmit sensitive media or metadata, and suppressed help reduces informed consent and auditability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function silently reads data/smyx-api-key.txt to obtain an internal identity value without user-facing notice. In this skill context, that is dangerous because a crop-disease analysis add-on has no obvious reason to inspect local credential-related files, so the behavior violates least surprise and can expose or misuse local identity information.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The helper silently sends openId, mobile, and source fields to a remote /sys/phoneLogin endpoint and enables registration/login automatically. This is risky because it transmits identity-related data off-host without visible disclosure or consent, and in a disease-analysis skill such behavior is unexpected and difficult for users to detect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The general request helper automatically injects tenant code, skill hub/platform metadata, and username into outbound requests without any user-facing warning. This creates covert data sharing and expands the privacy impact of any caller that uses the helper, especially problematic in a skill whose stated function is crop-disease recognition rather than account-linked cloud operations.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
95% confidence
Finding
requests.post(_url, json=

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2