Back to skill

Security audit

Farmland Weed Identification | 农田杂草识别与密度评估

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended to analyze field images or videos, but it also silently creates or reuses account identity and stores authentication tokens, so it should be reviewed before installation.

Install only if you are comfortable with a remote LifeEmergence service receiving the media or URLs you analyze, silently associating activity with an internal account identity, storing/reusing local authentication tokens in the workspace data directory, and querying cloud report history. Avoid using it on sensitive files or private URLs unless that account linkage and upload behavior are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The manifest presents no declared permissions while the documented workflow clearly relies on shell execution, filesystem access, network access, and likely local state handling. This weakens reviewability and consent because an operator may authorize an apparently simple image-analysis skill without realizing it can execute commands, persist files, and contact remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill claims to do weed identification, but the behavior described includes identity creation/reuse, backend account or token handling, historical report retrieval, and generic upload processing. This mismatch is dangerous because users and reviewers may grant trust to a narrow agricultural imaging tool while it actually performs broader data access and persistence operations that affect privacy and account scope.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The code for a purported farmland weed-identification skill is parameterized with pet-category values (cat, dog, other) and mutates a global default based on that input. This strongly indicates the skill is miswired to unrelated functionality, so users may receive incorrect analysis results while believing they are making agronomic decisions from valid weed data. In this context, silent task substitution is dangerous because it can directly mislead field treatment decisions and undermine trust in downstream heatmap outputs.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The user-facing CLI describes farmland weed analysis, but the execution path passes a pet-type selector into the core routine, creating a mismatch between documented behavior and actual control inputs. This is a functional integrity issue: an operator may trust the output as agronomic analysis when the underlying model or configuration may be unrelated, causing unsafe or wasteful precision-weeding decisions.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The skill accepts arbitrary http/https URLs and forwards them to the analysis service without restricting domain, content type, or purpose. In this context, that expands the skill from local image analysis into arbitrary remote resource submission, which can enable unintended data transfer, backend misuse, or SSRF-like behavior if the downstream service fetches attacker-controlled URLs.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file’s implemented behavior materially contradicts the declared skill purpose: the manifest says top-view field image weed identification, but the code performs generic video analysis and history listing through backend skill methods. This kind of capability mismatch is dangerous because it can mislead users, reviewers, and calling systems into granting permissions, data access, or trust appropriate for agricultural image processing while actually invoking unrelated remote analysis functionality.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The CLI explicitly presents itself as a video analysis tool, which reinforces the mismatch with the published weed-identification image-analysis description. Deceptive or inconsistent user-facing text increases the risk of operators submitting unintended media, exposing different data than expected, and using a skill under false assumptions about its scope and data handling.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file exposes generic CRUD methods and arbitrary HTTP verb wrappers that are far broader than a weed-identification skill should require. In the context of an agent skill, this creates unnecessary capability expansion: other parts of the skill can invoke remote actions, enumerate data, or interact with unrelated backend endpoints, increasing the blast radius if the skill is misused or compromised.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The get_user_by_username capability is unrelated to image-based weed analysis and introduces access to user-account information without a clear business need. Such out-of-scope identity lookup functionality can enable account enumeration or unauthorized retrieval of user metadata if exposed through the skill or abused by adjacent code.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The file embeds generic user-account persistence in a skill whose stated purpose is weed-image analysis, creating unnecessary identity and account-handling capability unrelated to the advertised function. In an agent ecosystem, this kind of hidden secondary functionality increases the attack surface and enables collection or reuse of user records without clear business need.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The User model stores personal profile data and authentication-like secrets such as token and open_token despite the skill being for agricultural image analysis. Retaining these fields locally expands the impact of compromise, enables credential or session theft, and creates unjustified privacy exposure disconnected from the skill's declared purpose.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The DAO exposes broad create, update, delete, and user-oriented mutation operations that exceed the narrow analytics role described for the skill. Excess write capability is dangerous in a mismatched-scope skill because it can be repurposed to alter local state, persist unauthorized data, or support hidden behavior not expected by users or reviewers.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements a generic `ai_chat(prompt, session_id, timeout)` agent interface that is unrelated to the stated weed-identification purpose. In an agent-skill ecosystem, unjustified generic LLM/agent execution expands capability beyond the declared scope and can become a covert execution or data-exfiltration surface if later re-enabled or inherited by other code.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Accepting an arbitrary `prompt` for agent execution is not justified by the farmland weed-analysis description, which should operate on images and structured agronomic outputs rather than free-form agent tasks. This creates unnecessary prompt-driven behavior that could be abused to perform unrelated actions or process sensitive context if the backend invocation is later activated.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This shared utility implements generic authenticated API access, token management, and remote account bootstrap behavior that are unrelated to the stated weed-identification purpose. In a skill expected to analyze field images, hidden support for arbitrary authenticated backend interaction broadens the attack surface and enables undisclosed data exchange or account actions beyond user expectations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code automatically resolves, creates, and persists user identities, including generating default open IDs and storing/reusing local user records, despite this behavior being unrelated to farmland weed analysis. Auto-provisioning identities without a clear user-triggered authentication flow can silently bind users to remote services and create long-lived tracking or unauthorized account state.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The utility reads an identity-like value from data/smyx-api-key.txt in the workspace and uses it for account resolution, which is outside the declared scope of image-based weed analysis. Reading locally stored credential or identifier material without clear disclosure can lead to unintended credential reuse, identity confusion, or silent linkage of the skill to another account context.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Overly broad automatic trigger phrases for historical report lookup can cause the skill to perform cloud queries and reveal prior-report metadata when the user did not intend that action. In a system with implicit identity reuse, accidental activation increases the risk of unauthorized or surprising access to sensitive historical data.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Using a vague phrase like '历史报告' as an automatic trigger is especially risky because it is common in normal conversation and may invoke remote history access unintentionally. When paired with automatic identity association and cloud-only retrieval, this can disclose report listings or links without clear user consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code reads the full local file content and sends it to an external analysis service without any visible user-facing disclosure or consent mechanism in this file. For a skill advertised as field-image weed analysis, silent upload behavior can cause unintentional exposure of local data, especially if users provide the wrong file or if the accepted formats are broader than necessary.

Missing User Warnings

Low
Confidence
72% confidence
Finding
When a remote URL is provided, the skill silently forwards that URL to the analysis service with no warning. This is less severe than local file exfiltration, but it still creates a transparency and privacy issue because users are not informed that their supplied URL will be transmitted to another service for retrieval or analysis.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The delete method provides a direct wrapper for remote destructive actions with no visible confirmation, restriction, or domain-specific scoping. In an overprivileged skill already containing arbitrary API wrappers, this increases the chance of accidental or unauthorized deletion of backend resources if the method is reachable from agent logic.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code derives a workspace path from the OPENCLAW_WORKSPACE environment variable or filesystem layout and then uses that path to locate identity data. In this skill context, that creates undisclosed access to environment-influenced local data and can cause the skill to consume sensitive account material from a broader workspace than the user expects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The request layer automatically attaches identity and authentication material such as X-Access-Token, X-Api-Key, Authorization, and pnaUserName to outbound HTTP requests without a user-visible warning or narrow scoping to the weed-analysis function. This creates a substantial risk of undisclosed credential transmission, account linkage, and overbroad remote access if endpoints or calling code are misused.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
91% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2