Back to skill

Security audit

Cutting Rooting Status Detection (Transparent Container) | 扦插枝条生根状态(透明容器)

Security checks across malware telemetry and agentic risk

Overview

This plant-root analysis skill is mostly aimed at remote image analysis, but it also silently handles identity, account registration, token storage, and contains stale pet-health/API remnants that users should review before installing.

Install only if you are comfortable sending uploaded plant images/videos and report queries to the Life Emergence cloud service, and with the skill creating/reusing a local identity plus storing service tokens in a workspace SQLite database. Review or remove the stale pet-health references, dev IP configuration, and automatic registration/token persistence before using this in a shared or sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
80% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
80% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions, yet the documentation clearly describes capabilities involving shell execution, network access, local file reads/writes, and environment/identity handling. This mismatch weakens policy enforcement and informed review because an operator may approve a seemingly low-privilege image-analysis skill that can actually access local data and remote services.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill’s advertised purpose is plant-root visual analysis, but the documentation broadens behavior to cloud-based historical report retrieval and report-link generation. That scope expansion introduces remote data access and account-associated reporting behavior unrelated to basic image inspection, increasing the chance of unexpected data exposure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims to provide only visual rooting assessment, yet it also documents automatic local file saving and mandatory cloud API queries for historical reports. These side effects materially expand data handling beyond analysis and can create privacy and integrity risks if users do not expect uploads, storage, or remote queries.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatically reusing or creating a default local user identity is unnecessary for a plant-rooting analysis task and can silently bind actions and cloud records to a hidden account. This creates accountability, privacy, and cross-session data-mixing risks, especially if multiple users or contexts share the same environment.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file documents pet health analysis APIs even though the skill claims to perform plant cutting rooting-stage detection. This kind of domain mismatch is dangerous because it can cause the agent or integrator to invoke unrelated endpoints, exposing or processing the wrong data and indicating the skill may be miswired, mislabeled, or repurposed from another domain without proper review.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The referenced behavior in the file is inconsistent with the declared skill scope, which is a strong indicator of confused-deputy behavior, accidental data crossover, or hidden functionality. In a security review, this mismatch increases risk because operators may trust the plant-analysis description while the implementation or integration targets a pet-health system and its associated data flows.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code path for a plant-rooting analysis skill still exposes pet-oriented semantics via the `pet_type` parameter and mutates a shared `ConstantEnum.DEFAULT__PET_TYPE` value. This indicates the skill may be miswired to reused pet-analysis logic, creating a strong risk that the wrong backend, model, policy path, or data domain is invoked, which can lead to incorrect results and unintended cross-domain processing.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The CLI advertises pet-oriented choices and list/help text in a skill that claims to analyze plant cuttings, including `cat`/`dog` options and pet health messaging. This mismatch is dangerous because operators can unknowingly route inputs into an unintended analysis mode or backend workflow, undermining integrity of outputs and potentially exposing data to unrelated processing paths.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This file exposes generic CRUD and arbitrary HTTP helper methods that are far broader than the skill’s declared purpose of passive plant-rooting analysis. In an agent context, such capability expansion increases attack surface and enables the skill or dependent code to contact arbitrary endpoints or perform unintended remote actions, violating least-privilege expectations.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Delete, edit, and generic remote modification methods are not justified by a non-invasive image-analysis skill and create unnecessary capability to alter or remove remote resources. If misused by other components or prompted indirectly, these methods could cause unauthorized state changes or destructive actions on backend systems.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This code manages generic user accounts, usernames, real names, email addresses, birthdays, and tokens, which does not align with a plant-rooting image analysis skill. Such unjustified identity/account handling expands the attack surface and creates unnecessary collection and persistence of sensitive user data, increasing privacy and abuse risk if the skill is compromised or misused.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file provides broad reusable local database infrastructure unrelated to the manifest's narrow purpose of non-invasive rooting-stage detection. In this context, excess persistence capability is suspicious because it enables storage of arbitrary records and state beyond what users would reasonably expect from an image-analysis skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The model stores identity and secret-bearing fields including username, realname, email, token, and open_token, none of which are justified by a plant-cutting rooting detection use case. Collecting and retaining these fields unnecessarily raises confidentiality risk, especially because tokens are highly sensitive and could be abused for account access if leaked.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This utility file contains open-id resolution, workspace-derived identity selection, local user creation, and persistence logic that is unrelated to a plant rooting-status detector. In the context of a vision analysis skill, embedding identity provisioning and backend account management greatly expands the trust boundary and can silently bind the skill to a user identity without informed consent.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The HTTP helper automatically logs in or registers users against an external service, loads and stores tokens, and attaches authentication headers to requests. That behavior exceeds the stated purpose of non-invasive rooting-stage image analysis and creates undisclosed outbound data flows plus durable credential handling inside a generic utility layer.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code inspects workspace environment details and later uses workspace-local key material to infer identity context for backend access, which is unrelated to image-based root detection. This creates a hidden coupling between local environment state and external identity selection, increasing the chance of unintended account use or leakage of operator/workspace context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
When no identity is available, the code creates a local fallback user and supports silent remote registration behavior, which is inappropriate for the declared functionality. Silent account creation can cause unauthorized backend enrollment, persistent identity artifacts, and user confusion about what external services the skill is interacting with.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill specifies automatic cloud history-report queries triggered by keywords without a clear user-facing warning that remote data access will occur. Silent network access tied to natural-language triggers can surprise users and disclose account-linked report metadata to a remote service without meaningful consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that uploaded attachments or media files are automatically saved locally, but it does not clearly warn users about local persistence. Unexpected storage can retain sensitive images, create forensic residue, and enlarge exposure if the host environment is shared or insecure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When a local path is provided, the skill reads the entire local file and passes it to the remote analysis API without any in-code user notice, consent prompt, or disclosure. In a system where users may expect local-only processing, this can cause unintended exfiltration of potentially sensitive media or metadata to an external service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code reads an internal identity value from data/smyx-api-key.txt and uses it as an open-id source without user-facing disclosure. Accessing sensitive local key material in a rooting-analysis skill is unexpected and can repurpose existing workspace secrets for unrelated backend authentication.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The network logic transmits identifiers and authentication-related data to external services without any evidence of user notice or consent in this skill. In a skill whose description is limited to visual rooting-stage detection, hidden identity transmission is context-inappropriate and materially increases privacy and account-risk exposure.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The utility automatically creates local data directories, contributing to persistent state changes without warning. On its own this is low risk, but in this file it supports a broader pattern of undisclosed identity and token persistence that is not expected from a simple image-analysis skill.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2