ClawHub

Blooming Elf

Security checks across malware telemetry and agentic risk

Overview

This plant-care skill is mostly purpose-aligned, but it overreaches by intercepting any unconfigured conversation and pushing users into persistent storage, reminders, and an external IMA/WeChat-backed archive without clear scoping or local-only consent.

Review before installing. This skill can be useful for plant reminders, but it is written to take over any conversation until configured, store ongoing plant records locally, create scheduled reminders, search the web for unknown plants, and push archives into IMA/WeChat-linked services. Install only if you are comfortable with that persistence and remote archive flow, and avoid using it for private location or household details unless the skill is revised to require explicit plant-related activation and consent before syncing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill directs users to download and log into external services (IMA and WeChat) as part of onboarding, even though that dependency is not essential to the plant-care function described in the manifest. This creates unnecessary account-linking and data-sharing risk, especially because the skill also persists plant and environment data and later syncs it to the external knowledge base without a clearly disclosed consent step.

Description-Behavior Mismatch

Medium
Confidence
76% confidence
Finding
The skill instructs the agent to perform web searches for plant information when a species is not in its built-in table, but this external lookup behavior is not disclosed in the metadata. Undisclosed network access expands the skill's effective capabilities and can expose user context or prompt content to third-party services unexpectedly.

Vague Triggers

Medium
Confidence
70% confidence
Finding
The add-plant triggers include broad phrases such as 'just bought' or 'got another one,' which can match ordinary conversation outside the user's intent to invoke this skill. Because the skill writes drafts to persistent storage, an overbroad trigger can cause unintended state changes and memory pollution from unrelated chats.

Vague Triggers

High
Confidence
95% confidence
Finding
The unconfigured-state rule activates on any user input and instructs the agent to ignore the current conversation and emit onboarding text verbatim. This effectively gives the skill universal interception scope, allowing it to hijack unrelated interactions and potentially steer users into unnecessary data collection, file access, and automation setup.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description presents a benign plant assistant but does not warn that the skill reads and writes persistent local memory files, stores drafts, and creates scheduled automations. Missing disclosure undermines informed consent and increases the risk that users unknowingly permit persistent tracking and automated actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill omits a clear privacy warning before sending user data to external knowledge-base and link-related services, despite onboarding flows that create notes, link them to a KB, and later retrieve shareable URLs. This can expose plant records, location, and environmental details to remote systems without sufficiently informed user consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal