Back to skill

Security audit

Blooming Elf

Security checks across malware telemetry and agentic risk

Overview

This plant-care assistant appears purpose-aligned, but it can activate too broadly and create persistent notes and reminders with weak user confirmation.

Review before installing. Use it only if you are comfortable with automatic plant-care files or IMA notes, a MEMORY.md profile, recurring reminders, weather lookups based on your city, and long-term watering/activity logs. Confirm where it stores files and disable or remove unwanted automations after setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill instructs the agent to fetch live weather and use network services before sending reminders, expanding capabilities beyond local plant-record management into external data access. Broadening network reach increases attack surface, may leak contextual user information such as city and schedule, and creates opportunities for unintended outbound requests.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Knowledge-base enumeration and file association let the skill inspect and modify broader document storage unrelated to watering reminders. This is dangerous because it can expose unrelated user content, metadata, and folder structure, violating least privilege and enabling cross-document data access beyond the stated purpose.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
Generating shareable document URLs adds data exfiltration capability because links may grant access to stored notes outside the current session. Even if URLs are time-limited, exposing them can leak plant logs, file locations, or other stored content to unintended recipients.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger 'any input -> onboarding' is overly broad and can hijack unrelated conversations or activate storage-writing workflows unexpectedly. Overbroad invocation is dangerous because it increases the chance of unauthorized file reads/writes and automation creation from benign, out-of-scope user messages.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Generic trigger phrases like '帮我看看', '状态不好', and '记一下' can match many unrelated user requests. This makes unintended skill execution more likely and can cause accidental access to stored notes, creation of logs, or workflow takeover in conversations not meant for this skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs automatic local file creation and modification without clear up-front consent, including writes to local .md files and persistent state updates. Silent local writes are risky because they can alter the filesystem, create durable records of user behavior, and surprise users who did not authorize storage side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mandates automatic scheduled-task creation via automation_update once reminder time is collected, without a strong up-front warning. Creating persistent automations changes system behavior beyond the current chat and can lead to unwanted recurring actions or notification spam if triggered unintentionally.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill persistently stores detailed user data in MEMORY.md and related documents, including city, environment, reminder times, plant lists, note IDs, and file paths, then reuses it automatically across sessions. This creates a privacy and security risk because sensitive personal context and storage identifiers are retained without per-action confirmation or strong minimization boundaries.

Ssd 3

Medium
Confidence
89% confidence
Finding
The fallback path tells the agent to use cached MEMORY.md data, including plant lists and document identifiers/paths, when primary reads fail. Using stale or partially invalid persisted data can cause actions against the wrong files or expose sensitive paths and identifiers even when the authoritative source is unavailable.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill repeatedly instructs automatic creation and maintenance of archive and activity-log documents containing detailed user actions over time. Persistent behavioral logging increases privacy exposure, creates long-lived sensitive records, and can compound impact if links, note IDs, or local files are later accessed by other tools or users.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.