Back to skill

Security audit

Succulent Special State Detection | 多肉植物特殊状态识别

Security checks across malware telemetry and agentic risk

Overview

The skill does perform the advertised succulent image/video analysis, but it also silently creates or reuses user identity state, logs in to a remote service, and stores authentication tokens with limited user control.

Install only if you are comfortable with uploaded plant images or videos and report-history queries being processed by LifeEmergence remote services, and with the skill creating/reusing an internal identity plus local token-bearing account records. Avoid using it in workspaces where OpenClaw, Feishu, or other identity environment variables should not be consumed by third-party skill code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill declares no permissions, yet its documented behavior includes shell execution, local file read/write, environment usage, and network access. This creates a hidden trust boundary: users and hosting platforms may believe the skill is low-risk while it can execute commands, persist data locally, and exfiltrate uploaded media or report metadata to remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose is narrow plant-state detection, but the described behavior expands into persistent identity creation, history retrieval, remote API interaction, and report-link export. This mismatch is dangerous because it can mislead users into providing images under a simple analysis pretext while the skill also builds long-lived user records and accesses broader remote functionality not clearly disclosed.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script exposes a history-report listing function (`show_analyze_list`) that is outside the stated image-analysis purpose in the manifest. When combined with identity resolution elsewhere in the script, this creates an unnecessary data-access surface that could reveal prior analysis records and associated metadata to users or callers who only expected single-image/video inference.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code initializes and uses an internal user identity (`open_id`) even though succulent condition detection does not inherently require account-context access. Tying a simple media-analysis tool to hidden identity-based report access increases the risk of unintended data exposure, cross-user access bugs, and privacy violations if identity resolution or backend authorization is weak.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The skill manifest describes HD image-based succulent analysis, but this code accepts arbitrary local files and remote HTTP(S) URLs under video-oriented parameter names and submits them for backend analysis. This creates a capability mismatch that can mislead users about what data is being transmitted and broadens the attack surface to remote URL handling and unexpected media ingestion.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill includes report-history listing and export-link generation features that go beyond the stated plant-state detection function. Exposing prior analysis records and export URLs can reveal historical user data or enable unintended access to generated reports if authorization is weak elsewhere in the stack.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The implementation performs video analysis and exposes video-history listing despite the manifest describing HD image-based succulent condition detection. This capability mismatch is dangerous because it can cause users and reviewers to approve the skill under false assumptions while it processes a different, potentially more privacy-sensitive data type and retrieves stored history tied to an open ID.

Intent-Code Divergence

High
Confidence
89% confidence
Finding
The CLI help text and function descriptions repeatedly present the tool as a video analyzer, directly contradicting the published skill purpose of image-based succulent detection. Such inconsistent documentation undermines informed consent and increases the risk of deceptive deployment, especially if operators provide media or approve network access believing the skill only handles plant photos.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This file exposes generic add/edit/delete and raw HTTP GET/POST/PUT/DELETE wrappers that can interact with arbitrary URLs, which materially exceeds the advertised purpose of succulent image anomaly detection. In a skill expected to perform narrow image analysis, such broad remote-action capability increases the risk of misuse for unauthorized data transmission or remote state changes if higher-level code passes attacker-controlled endpoints or payloads.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code supports broad remote resource management through pagination helpers and generic mutation methods rather than a narrowly scoped plant-detection workflow. That mismatch is security-relevant because a seemingly harmless vision skill can become a transport layer for unrelated backend operations, expanding attack surface and enabling stealthy misuse inside agent environments.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The configuration class reads identity-related environment variables such as OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, and FEISHU_OPEN_ID even though this skill is described as succulent image analysis. Pulling unrelated user/platform identifiers into shared config expands data access beyond the minimum required scope and can leak or repurpose user identity context across skills. In this skill context, that mismatch makes the behavior more suspicious because plant-state detection should not need messaging-platform identity data.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is supposed to perform succulent image anomaly detection, but this file defines a generic user/account DAO and shared persistent database logic. That creates unnecessary data collection and storage capability unrelated to the declared purpose, expanding the attack surface and enabling covert retention or cross-skill reuse of user data without clear justification.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The User model stores identity and authentication-like secrets including username, realname, email, token, and open_token even though the skill’s stated purpose is plant-state detection from images. Collecting and persisting these fields without clear necessity increases privacy risk and creates a valuable target if the local database is accessed by other components or leaked.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code provisions and persists a default user identity/open-id in local workspace state, including reading from a local API-key-like file and creating synthetic users in a database. That behavior is unrelated to the stated succulent-image analysis purpose and introduces hidden identity management and persistent account state, which can cause unauthorized account creation, cross-session tracking, and misuse of user context without explicit consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The HTTP helper silently performs remote phoneLogin-style registration/login, obtains tokens, caches them, and reuses them for subsequent requests. For a succulent detection skill, hidden account creation and token lifecycle management are out of scope and dangerous because they enable undisclosed remote service enrollment, persistent authentication, and transmission of user-linked identifiers to external services.

Vague Triggers

Medium
Confidence
84% confidence
Finding
A default trigger that activates on broadly any succulent image-analysis request increases the chance of unintended execution, causing media to be processed or uploaded without sufficiently specific user intent. In a skill with cloud/API and local file handling, overbroad activation increases privacy and safety risk because sensitive images or videos may be sent to backend services unexpectedly.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Ambiguous everyday phrases like generic plant-condition descriptions can match normal conversation and trigger the skill outside its intended scope. Because the skill also supports cloud history queries and media handling, accidental activation can expose prior reports or initiate remote processing without clear user awareness.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description does not clearly warn users that uploaded media and report queries are processed through cloud/API services. This omission is dangerous because users may reasonably expect local-only image analysis for a plant-care skill and may not realize their photos, videos, identifiers, or report history are transmitted to third-party infrastructure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill silently resolves current user identity through `OpenIdUtil.resolve_current_open_id(...)` without a clear user-facing warning or transparent CLI behavior. Hidden identity initialization is dangerous because users may unknowingly grant access to account-scoped data, and attackers or integrators may abuse ambient identity context to retrieve or correlate prior reports.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads local file contents into memory and submits them to a remote analysis API, or sends a user-supplied URL for remote processing, without any user-facing disclosure in this file. For a consumer-facing plant-care skill, silent transmission of media to an external service creates privacy and consent risks, especially when users may assume analysis is local.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script accepts a hidden API key parameter and sends user-provided input to remote analysis functions without clear user-facing disclosure about credential handling or data transmission. Hidden authentication and opaque network use are risky because they can conceal external data exfiltration, confuse auditing, and lead users to transmit sensitive media or credentials unknowingly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The delete method directly issues a remote POST-based destructive action with no safeguards, confirmation, or restriction on target URL or payload. In an agent skill context, this can enable unintended or attacker-influenced deletion of remote resources, especially because the skill's stated purpose gives no reason to include destructive backend operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Accessing identity-related environment variables without clear need or disclosure is a real data-minimization and privacy boundary issue, especially in a succulent-analysis skill where such identifiers are unrelated to the advertised functionality. Even if the values are not immediately transmitted here, reading them into shared runtime configuration can enable unintended propagation, logging, or downstream misuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The request utility assembles and transmits identifiers and authentication material such as pnaUserName, X-Access-Token, X-Api-Key, and Authorization to remote services without any visible consent or narrow scoping to the succulent-detection task. In the context of a simple image-analysis skill, undisclosed credential and identity transmission materially increases privacy and account-compromise risk.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
96% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2