Back to skill

Security audit

Crop Fruit Ripeness Grading | 经济作物果实成熟度分级

Security checks across malware telemetry and agentic risk

Overview

The skill’s cloud fruit-grading workflow is mostly disclosed, but it silently creates or reuses an identity, contacts remote services, and persists account tokens locally.

Install only if you are comfortable sending crop images/videos or submitted URLs to the LifeEmergence/Open LifeEmergence cloud service, having report history associated with an automatically managed identity, and storing service tokens in the workspace data directory. Avoid using sensitive media, and prefer a version that clearly documents token storage, retention, and confirmation before history queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (31)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
81% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
81% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises no explicit permissions while the documented workflow requires shell execution, local file handling, network access, and use of persisted local state. This mismatch is dangerous because reviewers and users may authorize or trust the skill without understanding that it can save files locally, call external APIs, and access environment or local resources indirectly through its scripts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is simple fruit-ripeness grading, but the behavior extends to remote file/URL upload, generic backend AI processing, polling job endpoints, history retrieval, identity provisioning, and local token/user-data storage. This is dangerous because it materially expands the data-handling and trust boundary beyond what the manifest suggests, creating hidden privacy, authentication, and exfiltration risks.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest frames the skill as visual ripeness grading, but the documentation adds cloud-based historical report querying and report-link generation. This broadens functionality into data retrieval and external record access, which can expose user data or trigger unintended remote operations without clear upfront declaration.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The CLI advertises a fruit-ripeness tool but still exposes pet-analysis semantics such as `--pet-type` and pet-focused help text. This mismatch is a strong indicator of code reuse or repurposing that can hide unintended functionality, confuse operators about what data is being processed, and increase the risk that unrelated backend behaviors are still active.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script includes a listing function for prior analyses tied to an `open_id`, which is unrelated to fruit-ripeness grading. Exposing account/history retrieval in a narrowly scoped analysis tool broadens access to potentially sensitive user data and creates an unnecessary data-disclosure surface if invoked by unauthorized users or embedded workflows.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill resolves and uses an internal user identity (`open_id`) even though fruit-ripeness grading should only require an image/video input. This creates hidden identity coupling and may cause analyses or history operations to be associated with an internal account context without meaningful user awareness, increasing privacy and access-control risk.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation materially exceeds the declared fruit-ripeness scope: it accepts generic file/URL analysis, polls for remote results, and exports reports. This kind of scope mismatch is dangerous because users or orchestrators may grant the skill broader trust and permissions than intended, enabling data exfiltration or access to unrelated backend capabilities under a misleading manifest.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code accepts arbitrary http/https URLs and forwards them for backend analysis without restricting domain, media type, or purpose. In context, a fruit-ripeness grader does not obviously need unrestricted remote fetching, so this expands the attack surface for SSRF-like backend fetch abuse, unexpected third-party access, and analysis of unintended content.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill exposes report history/listing and export-link generation that are unrelated to simple ripeness grading. Extra data-access functionality increases the chance of unauthorized visibility into prior analyses or metadata, especially since the code comments show disabled open_id checks, suggesting weak access scoping around report retrieval.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation materially diverges from the declared skill purpose: instead of fruit ripeness grading, it performs generic video analysis via a backend skill interface. This is dangerous because users and reviewers may grant permissions or trust based on the manifest while the code processes broader media inputs and can invoke undeclared backend behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code accepts remote URLs and exposes account-scoped history listing, neither of which is disclosed by the manifest’s narrow fruit grading description. Hidden or undeclared capabilities increase the chance of misuse, unexpected data collection, and user deception about what data is fetched or retrieved on their behalf.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Resolving a current account identity and retrieving analysis history introduces identity-linked data access that is not justified by simple fruit ripeness grading. In this context, the mismatch makes the feature more dangerous because it may expose prior user data or metadata under the guise of a benign agricultural analysis tool.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The function names, docstrings, and CLI help repeatedly describe a video analysis tool, directly contradicting the advertised fruit ripeness grading skill. Such contradiction is a supply-chain trust problem: operators may deploy or approve the skill for one purpose while it actually enables broader media analysis behavior.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file exposes broad generic HTTP and CRUD wrapper capabilities, including arbitrary POST/PUT/GET/DELETE requests and paginated listing helpers, which are far beyond a fruit-ripeness grading skill’s declared purpose. In a skill context, this creates an unnecessary capability surface that could be used to access, modify, or delete remote resources if another component can influence URLs or request payloads, making the mismatch between declared function and actual power especially dangerous.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The user account lookup helper introduces identity-related functionality that is not justified by fruit-ripeness grading and may enable user enumeration or unauthorized access to account metadata, depending on the backend behavior. Because the skill’s business purpose is unrelated to user management, this capability increases suspicion and expands the attack surface without an evident legitimate need.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
This file defines a generic user persistence layer with token and open_token storage, which is materially unrelated to a fruit-ripeness grading skill. Capability drift like this increases the attack surface by introducing credential-like local storage and account handling that could collect, persist, or expose sensitive user data without a clear business need. The mismatch with the declared skill purpose makes the code more suspicious, not less.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The module performs broad local database initialization, path rewriting, CRUD support, and schema migration that exceed what is necessary for fruit-ripeness analysis. Even if not overtly malicious, this unnecessary persistence layer expands the skill's privileges and data retention surface, creating opportunities for unintended data collection, cross-feature access, and abuse if other code paths start using it.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This utility file contains broad capabilities unrelated to fruit ripeness grading: workspace inspection, identity resolution, local user persistence, token management, and remote API login/request logic. In the context of a simple grading skill, these hidden side effects materially expand the trust boundary and can cause unauthorized account creation, credential use, and outbound data transmission.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can silently register or log in users against a remote service using synthesized or recovered identities, then cache returned tokens locally. For a fruit-ripeness skill, this is context-inappropriate and dangerous because it can create accounts and bind activity to local identities without clear user awareness or necessity.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code probes environment variables, script paths, agent-pack layouts, and workspace directories to infer agent identity and writable locations. While not directly exploitative on its own, this increases reconnaissance and filesystem reach beyond what a ripeness-analysis skill should need, making misuse or later data access easier.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code reads identity material from a workspace file, falls back to local database records, and synthesizes persistent default open-id values when none are provided. In a fruit grading skill this is unjustified identity handling that can appropriate local identifiers and create durable user state without informed consent.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The history-report trigger phrases are broad enough that normal user language may automatically invoke cloud report queries. That is dangerous because it can cause unintended external API calls and exposure of historical records or metadata without a sufficiently explicit user confirmation step.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill states that uploaded media will be automatically saved as local files, but it does not present a clear, prominent user warning about this storage behavior, retention, or cleanup. Silent local persistence increases privacy and data-handling risk, especially for image/video content that may contain sensitive contextual information.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2