Plant Root Health Analysis (Transparent Pot) | 植物根系健康状况（透明盆）

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This plant-analysis skill includes under-disclosed account, token, cloud-history, and unrelated health-analysis code that users should review before installing.

Install only if you are comfortable sending plant images/videos and a stable identifier, possibly a phone number, to the publisher’s external services. Review or remove the account auto-registration/token persistence paths, fix the yaml dependency, and confirm the backend really performs plant-root analysis rather than the unrelated pet or human-health workflows shown in the bundled files.

SkillSpector (30)

By NVIDIA

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill scope expands from local visual analysis into mandatory cloud-linked history retrieval and persistence keyed to a user open-id. That broadening creates unnecessary collection and linkage of user activity over time, increasing privacy and tracking risk beyond what is needed for a one-off root-health assessment.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill instructs reading api-key/open-id values from local config files or prompting for username/phone number, even though the stated task is visual analysis. Pulling identifiers or secrets from local files and user identity data introduces credential exposure and unauthorized data use risks, especially when combined with remote API calls and local persistence.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The documentation tells the model to only provide visual assessment, but later requires local file saving and historical cloud report querying. This inconsistency is risky because it obscures data handling behavior and can cause users to believe their interaction is transient when the skill actually stores and retrieves linked records.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The API documentation is for pet health analysis while the skill metadata describes plant root health analysis, indicating the skill may be wired to the wrong backend or includes copied documentation from an unrelated domain. This mismatch can cause accidental cross-domain data access, incorrect API calls, and unsafe assumptions by downstream agents or integrators about what data is being processed.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The file exposes generic record-management operations (page/list/add/edit/delete) in a skill whose manifest describes root-health analysis from camera images. This scope mismatch increases the attack surface and may enable unauthorized modification or deletion of backend-managed resources if these methods are exposed through the skill interface or reused by downstream components.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The delete method allows deletion of a resource identified only by camera serial number, which is unrelated to the stated analysis-only purpose and could be abused to remove camera-associated records or configurations. In an IoT or plant-monitoring deployment, such deletion can disrupt monitoring, erase operational data, or affect multiple devices if camera serials are enumerable or guessable.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The add and edit methods provide generic management capabilities not justified by the manifest's analysis-only description. If reachable by callers, they could allow unauthorized creation or modification of backend records, causing integrity issues, configuration drift, or misuse of the service beyond plant root analysis.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documented endpoint and sample response describe face detection and human health/constitution diagnosis, which materially contradicts the stated purpose of plant root health analysis. This mismatch is dangerous because it suggests the skill may send user-provided videos to an unrelated human-analysis service, creating a serious risk of undisclosed collection or processing of human biometric/health-related data if people appear in frame.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The referenced external API behavior is unrelated to the advertised function of the skill and instead returns human face-detection and diagnosis fields. In this skill context, that makes the issue more dangerous because users reasonably expect plant analysis, not human profiling, so the discrepancy can conceal improper data use, privacy violations, or backend substitution with a different service than disclosed.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill accepts arbitrary HTTP/HTTPS URLs and forwards them for backend analysis, even though the declared use case is fixed-camera plant root media. This expands the trust boundary to attacker-controlled remote resources and can enable unintended fetching/processing of untrusted content, privacy issues, or abuse of downstream services if URL origin and content type are not tightly constrained.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The report-listing path reads unrelated human-health/face-analysis fields such as `healthAiResponse` and `faceAnalysisResponse` instead of plant root health result structures. This can cause cross-domain data leakage, mislabel reports with unrelated sensitive outputs, or expose/report incorrect data if the shared backend returns mixed record types.

Description-Behavior Mismatch

Medium

Confidence: 80% confidence
Finding: Accepting arbitrary remote URLs expands the trust boundary beyond fixed local camera inputs described in the manifest. If downstream components fetch those URLs server-side, this can enable unintended network access patterns, privacy leakage, or SSRF-style abuse, especially because the script gives no validation or restriction of remote sources.

Context-Inappropriate Capability

Low

Confidence: 72% confidence
Finding: The historical analysis listing capability exposes data access beyond the manifest's stated root-analysis function, and it is keyed only off a user-supplied identifier path in this script. If authorization is weak downstream, this broadens the chance of improper access to prior analyses or metadata for other users.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This file exposes generic network primitives for add/edit/delete/list and arbitrary HTTP GET/POST/PUT/DELETE against caller-supplied URLs, which is broader than the declared root-health analysis purpose. In an agent context, such broad wrappers can be reused to reach unintended internal or external services, enable unscoped data exfiltration, or perform unauthorized remote actions if other parts of the skill can influence the URL or payload.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The implementation provides arbitrary remote resource management capabilities rather than only plant-root analysis operations described in the manifest, creating a capability mismatch. That mismatch is risky because a seemingly benign imaging skill may secretly act as a general network client, increasing the chance of hidden functionality, privilege abuse, or misuse by downstream code.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file implements persistent user-account storage and management, including lookup, update, and deletion capabilities, despite the declared skill being limited to plant root health analysis. This scope mismatch indicates hidden or unnecessary data-handling behavior that expands the attack surface and may enable unauthorized collection or manipulation of user data unrelated to the skill’s purpose.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The model stores authentication tokens, open tokens, email, birthday, sex, and age, none of which are necessary for analyzing plant roots from images. Retaining such sensitive personal and auth data in a local SQLite database creates unnecessary privacy and credential-compromise risk, especially if the database file is accessible to other local processes or backed up insecurely.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The class presents itself as a generic lightweight CRUD wrapper, but initialization also performs an implicit schema migration targeting a specific user table. This hidden side effect reduces transparency and can surprise operators by altering local data structures automatically, which is particularly concerning in a skill whose stated function is plant analysis rather than account management.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The utility layer performs account lookup, implicit login/registration, token acquisition, and token persistence even though the advertised skill is for plant root image analysis. This creates an unjustified identity and credential-handling capability that expands the attack surface, enables silent account creation/use, and could expose or misuse user identities and tokens if the helper is invoked unexpectedly.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The helper can auto-register or log in a user by sending a username/mobile as both openId and mobile with silent/register flags. For a plant-analysis skill, this is unrelated functionality and is dangerous because it can create external accounts or bind identities without informed consent, potentially causing privacy, billing, and account-abuse issues.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The code saves and updates token-bearing user records in local storage/DAO, including retry logic that clears and refreshes tokens. Persisting authentication material in a utility used by an unrelated plant-health skill increases the risk of credential leakage, unauthorized reuse, and hidden long-lived access beyond the user's expectations.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The auto-trigger for history-report queries includes broad phrases like generic 'history report' requests, which can activate backend data retrieval outside the user's intended scope. In a multi-skill or conversational environment, overly broad triggers increase the chance of unintended access to user-linked historical records.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill states that uploaded images or videos will be automatically saved locally, but it does not clearly warn users about retention, storage location, or access controls. Automatic persistence of user media can expose sensitive images, enable unintended reuse, and expand the blast radius if the workspace is compromised.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill mandates cloud API queries for historical reports tied to an open-id but provides no clear privacy notice about transmitting identifiers and report metadata to a remote service. This creates a hidden data-sharing risk and may expose user activity history or account-linked records without informed consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill asks the user for a username or phone number as open-id without clearly disclosing privacy implications or alternatives. Requesting direct personal identifiers for a plant-analysis task is unnecessary on its face and increases the risk of overcollection, correlation of activity, and mishandling of personal data.

Static analysis

Install untrusted source

Warn

Finding: Install source points to URL shortener or raw IP.

Dep not found on registry

Critical

Finding: 1 package(s) referenced in dependency files do not exist on their public registries: yaml (pypi)

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal