ClawHub

plant-doctor

Security checks across malware telemetry and agentic risk

Overview

Plant Doctor is a coherent plant-care skill that writes a small local plant database and offers an optional dashboard, with privacy choices users should understand before enabling memory or remote storage.

Install only if you are comfortable with the agent creating and updating a local plants/ folder for your plant collection and watering schedule. Do not enable memory or build the optional dashboard unless you want plant data, room/location details, photos, and care history persisted beyond the current chat or local files; if using the dashboard, keep storage private and credentials in environment variables.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document makes strong security assurances such as 'audited and verified' and 'never phones home,' yet it also describes an optional dashboard that uses a remote database and credentials. This contradiction can mislead users into trusting the package as strictly local-only, causing them to deploy components with networked data flows or sensitive plant photos under a false sense of safety.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README instructs users to paste setup content that will 'automatically configure your workspace' and later mentions persistent local state files, but it does not clearly warn that installation may modify the local filesystem. For agent skills, undisclosed automatic workspace changes are dangerous because users may grant execution to a prompt that creates, overwrites, or persists files without informed consent, increasing the risk of unwanted state changes or prompt-based abuse.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The setup prompt instructs the agent to create directories and files in the user's workspace and change permissions, but it does not warn the user that installation will perform filesystem writes. Even though the writes are limited and appear related to the skill's purpose, silent modification of the workspace reduces user awareness and can normalize unauthorized file operations by skills.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt directs the agent to integrate plant data with persistent memory across sessions if available, but it provides no privacy notice, consent step, or explanation of what data will be retained. Cross-session persistence can expose sensitive household, behavioral, or location-adjacent information and may surprise users who expect a temporary interaction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to update `plants/collection.json` and `plants/care-schedule.md` when the user reports watering, but it does not require clear user consent or warn that these are persistent file modifications. This creates a real safety issue because ordinary conversational input can trigger durable state changes, increasing the risk of unintended or surprising writes to user data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The seasonal care logic directs the agent to proactively recalculate all watering schedules and notify the user, implying bulk updates to persistent plant records without an explicit warning or confirmation step. Even though writes are scoped to the `plants/` directory, automated background-style modification of user files can cause unexpected data churn, overwrite user-managed schedules, and reduce user control over stored information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal