v1.0.6

Bird Recognition Tool | 鸟类识别工具

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 12:42 PM.

Analysis

This bird-recognition skill is suspicious because it asks for user identifiers, sends media to hard-coded cloud services, and declares purchase/sensitive-credential capabilities that are not explained by the bird-recognition purpose.

GuidanceBefore installing, confirm why this bird-recognition tool needs sensitive-credential and purchase-capable permissions, avoid using a phone number as the open-id, and do not upload sensitive images or videos unless you trust the external lifeemergence.com services and understand report retention.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

⚠️ 强制记忆规则（最高优先级）...所有历史报告查询必须从云端接口获取...即使技能调用失败或接口异常，也不得回退到本地记忆汇总

The skill uses high-priority instructions that force a specific cloud-query path and forbid fallback behavior. This is purpose-aligned for avoiding local memory, but it strongly controls agent behavior.

User impactThe agent may prioritize the skill’s cloud-report workflow over alternative ways the user expects history to be handled.

RecommendationUse the history-query function only when you intend to query the cloud service, and verify that the returned reports are the ones you expect.

Tool Misuse and Exploitation

SeverityHighConfidenceMediumStatusConcern

metadata

Capability signals: crypto; can-make-purchases; requires-sensitive-credentials

Purchase-capable authority is not part of the stated bird-recognition purpose, and the artifacts do not define approval, spending limits, scope, or reversibility for purchase-like actions.

User impactInstalling the skill may expose high-impact capabilities that are not explained by the bird-recognition workflow.

RecommendationDo not grant purchase-capable permissions unless the publisher documents why they are needed, how approval works, and how spending or account changes are prevented.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

skills/smyx_common/scripts/config-dev.yaml

base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"

A raw private-IP HTTP endpoint is bundled in a published skill configuration, matching the static scan warning and creating an endpoint/provenance concern.

User impactThe skill package contains environment configuration that points to an undisclosed local-network service, making it harder to verify where requests may be sent if configuration changes.

RecommendationInstall only if the publisher removes private dev endpoints or clearly documents trusted production endpoints and configuration selection.

Cascading Failures

SeverityLowConfidenceMediumStatusNote

SKILL.md

如果用户上传了附件或者图片/视频文件，则自动保存到技能目录下 attachments...用于保存和查询历史报告记录

The instructions describe automatic local attachment saving and cloud report history, so a mistaken upload or wrong open-id can persist beyond a single interaction.

User impactA sensitive or incorrect upload could be retained locally or associated with the wrong history identifier.

RecommendationConfirm before saving or uploading files, and use a separate open-id for testing or shared environments.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

Supports recognition of no less than 500 common bird species, supports customized model training...Powered by deep learning visual models

The skill makes strong capability claims, including customized model training, while the documented workflow mainly exposes API-based recognition and history listing.

User impactUsers may overestimate the verified capabilities or reliability of the skill, especially for custom training or conservation decisions.

RecommendationTreat outputs as informational, verify important species identifications independently, and ask the publisher for model/training documentation.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

如果文件存在且配置了 api-key 字段，则读取 api-key 作为 open-id...必须暂停执行，明确提示用户提供用户名或手机号作为 open-id

The skill requires an identity value and may ask for a username or phone number, while the registry requirements declare no primary credential or required environment variables.

User impactYour phone number, username, or API-key-like value may be used to save and retrieve report history, creating account-linkage and privacy risk.

RecommendationUse a non-sensitive unique identifier instead of a phone number where possible, and require the publisher to declare identity and credential handling explicitly.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

说明用途（用于保存和查询历史报告记录）...所有历史报告查询必须从云端接口获取

The skill uses a persistent cloud history/report source keyed by open-id. This is aligned with the history-report feature but sensitive because reports can persist across sessions.

User impactUploaded media analyses may become part of a cloud report history and later be retrieved by the identifier used as open-id.

RecommendationUse a dedicated non-sensitive open-id, avoid uploading sensitive media, and confirm how cloud reports can be deleted or scoped.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

skills/smyx_common/scripts/config.yaml

base-url-open-api: "https://open.lifeemergence.com/smyx-open-api"...base-url-open-h5: "http://livemonitor.lifeemergence.com"...base-url-health: "https://lifeemergence.com/jeecg-boot-xzgz"

The skill communicates with hard-coded external provider endpoints, including an HTTP H5 endpoint, but the registry source is unknown and no privacy or trust boundary is declared.

User impactImages, videos, media URLs, identifiers, and report links may be sent to or retrieved from external services whose data-handling boundaries are not clear from the artifacts.

RecommendationReview the provider and privacy terms before use, and avoid uploading sensitive footage or using personal identifiers as open-id.