Back to skill

Security audit

Plant Species Recognition Skill | 植物物种识别技能

Security checks across malware telemetry and agentic risk

Overview

This plant-recognition skill also creates or reuses an account identity, sends files and identity-linked metadata to external services, and persists tokens locally, so it needs review before installation.

Install only if you are comfortable with the skill sending uploaded plant images or videos, account-linked identifiers, and report queries to the lifeemergence/open.lifeemergence services, and with it creating local workspace data that may contain reusable service tokens. Review or clear the workspace data directory if you do not want persistent identity reuse.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
71% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
71% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The manifest advertises no explicit permissions while the skill instructions require shell execution, local file handling, network access, and likely environment-derived identity use. This under-declaration weakens security review and consent boundaries because operators may approve or invoke the skill without understanding its real capability surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is plant recognition, but the skill also performs history retrieval, persistent identity creation/reuse, workspace/environment identity reads, and remote token/account operations against external services. This is dangerous because users and reviewers may authorize an image-analysis skill that actually handles identity state and broader remote-account interactions, increasing privacy and abuse risk far beyond the stated function.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script exposes a hidden history-listing capability via `show_analyze_list()` and the `--list` flag that is not reflected in the stated skill purpose of plant recognition. Undocumented functionality that retrieves prior analysis records can expand the data-access surface and may enable unauthorized discovery of user activity or prior submissions if access controls are weak or identity state is manipulated.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code initializes internal user identity context using `OpenIdUtil.resolve_current_open_id(...)` even though basic image recognition should not require hidden identity handling. Introducing concealed identity state increases the chance of cross-user data access, especially when combined with history-listing behavior, and creates a privacy-sensitive control path not disclosed by the skill description.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The comment says the internal identity is not exposed, but the parser still accepts a hidden `--open-id` parameter. Hidden but accepted identity parameters are dangerous because they create a misleading trust boundary: operators may assume the value cannot be user-controlled when it can be supplied directly, potentially enabling impersonation or access to another user's records if downstream checks are insufficient.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation behavior materially conflicts with the declared skill purpose: the code performs video analysis and history listing rather than plant-species recognition from images. This kind of capability mismatch is dangerous because users, reviewers, or downstream systems may grant the skill permissions or trust based on the manifest while it actually processes different inputs and may invoke unrelated backend functionality.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The inline comments, argument descriptions, and user-facing CLI all describe a video analysis tool, directly contradicting the published plant image recognition context. Misleading documentation around security-relevant behavior increases the risk of deceptive packaging, incorrect operator assumptions, and accidental exposure of capabilities that were not reviewed for this skill category.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file exposes a generic API client surface including pagination helpers, CRUD-style methods, and arbitrary HTTP verb wrappers that are not narrowly scoped to plant-species recognition. In the context of a skill advertised as image-based plant identification, this creates unjustified network and remote-action capability that could be repurposed to access, modify, or delete remote resources if higher-level code passes attacker-controlled URLs or payloads.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The add, edit, and delete methods provide direct remote resource modification capabilities through simple pass-through POST calls, with no visible authorization checks, operation constraints, or domain restriction in this file. For a plant recognition skill, destructive or state-changing remote operations are unrelated to the stated purpose and increase the risk of abuse if invoked by untrusted inputs or integrated into a broader agent workflow.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The http_post, http_put, http_get, and http_delete methods are generic pass-through wrappers that enable arbitrary outbound network interactions beyond plant recognition needs. Such unrestricted wrappers expand the attack surface by permitting data exfiltration, SSRF-like access to internal services, or remote destructive actions if URL and parameters are influenced by other components.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The configuration initializer reads platform/user identity environment variables unrelated to plant-species recognition and stores them in global configuration fields. This creates unnecessary access to contextual identity data and expands the skill's data surface, which is risky because any downstream code using these globals could unintentionally disclose or misuse user identifiers.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This module implements a generic local database and user DAO with schema-management behavior that does not align with a plant-species recognition skill. Capability mismatch is a strong security signal because it indicates hidden persistence and account-data handling beyond user expectations, increasing the attack surface and making abuse or covert data collection more plausible.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The User model stores identity and authentication-related fields including username, realname, email, token, and open_token, none of which are justified by image-based plant identification. Unnecessary collection and persistence of credentials/tokens materially raises the risk of privacy violations, token leakage, and unauthorized account linkage if the local database is accessed or reused by other components.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Automatic database creation and ALTER TABLE schema mutation go beyond what is normally needed for a simple plant-recognition skill and create persistent state with migration capability. In context, this broadens the skill's power to silently establish or evolve local storage, which can facilitate stealthy data retention and make later misuse easier.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility module contains broad identity management, token handling, workspace inspection, local user persistence, and remote account/login flows that are unrelated to plant-species recognition. In the context of an image-based plant ID skill, this is dangerous because it quietly expands scope from plant analysis into account provisioning and credentialed network activity, increasing the chance of covert data collection or unauthorized service use.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code reads identity material from workspace state and persists or reuses it across runs, including OPENCLAW_WORKSPACE-derived paths and data/smyx-api-key.txt. For a plant recognition skill, this is context-inappropriate and creates a cross-workspace identity coupling that can expose or misuse credentials without a clear user expectation.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
This code automatically registers or logs in a user against an external health-related endpoint using generated or reused identifiers, then caches returned tokens for later requests. In a plant identification skill, that behavior is highly suspicious and dangerous because it can create accounts, transmit identifiers, and obtain long-lived authorization tokens without a user understanding that unrelated external services are being contacted.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The history-report auto-trigger phrases are broad enough to activate cloud report retrieval based on common wording rather than clear, scoped intent. In context, this is risky because the skill links those phrases to account-associated historical data, so an ordinary request could unintentionally expose prior reports.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill says uploaded images/videos are automatically saved locally, but it does not provide a clear retention, location, or consent notice at the point of collection. This creates avoidable privacy and data-handling risk, especially since the skill also associates activity with persistent user identity and cloud reporting.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code reads an arbitrary local file into memory and sends it to a remote analysis API via `self.analysis(...)` without any user-facing disclosure, consent gate, or clear boundary on what data may leave the host. In a mismatched skill context advertised as plant recognition, this is more dangerous because users may provide sensitive local files under false expectations about what the skill does.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads sensitive identity information from data/smyx-api-key.txt silently and uses it as an internal identity source. Even if intended for convenience, doing this without clear disclosure or consent can leak or repurpose workspace credentials in a skill whose advertised purpose is plant species recognition.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This request path assembles and transmits usernames, tenant identifiers, API keys, access tokens, and authorization tokens to external services without any visible user-facing warning in the code path. In this skill context, hidden transmission of identity-linked metadata is dangerous because users would reasonably expect image analysis, not background account-linked network activity.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
96% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2