Back to skill

Security audit

Indoor Plant Light Stress Detection | 室内植物光照不足/过强识别

Security checks across malware telemetry and agentic risk

Overview

This plant-analysis skill is mostly coherent, but it automatically uploads media or URLs to a cloud service and silently creates or reuses persistent identity state for remote report history.

Install only if you are comfortable with plant images/videos or supplied URLs being sent to Life Emergence cloud APIs, and with the skill creating/reusing a persistent local and remote identity for report history. Avoid placing real secrets in data/smyx-api-key.txt unless the publisher documents that use clearly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
77% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
76% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This utility module silently resolves an identity, provisions or reuses a local user, and performs remote account login/registration flows even though the file is presented as a generic utility library. In skill context, hidden identity management and account bootstrap behavior is risky because other code can trigger outbound authentication and account creation without clear user knowledge or consent.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The code reads from a file named smyx-api-key.txt but treats the contents as an open-id/identity value. This name/behavior mismatch can cause operators or other components to place a real API key in that file, after which the code may misuse the secret as an identifier and propagate it into requests or persisted state, creating credential confusion and possible leakage.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The default trigger condition is broad enough that the skill may activate on routine plant-image requests without a clearly expressed request for this specific analysis. In an agent setting, overbroad auto-invocation can cause unintended processing, privacy surprises, or unnecessary downstream tool/script execution.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The history-report triggers include generic phrases that could match ordinary conversation and automatically invoke cloud history retrieval. Because history lookup is tied to internal identity and remote API access, accidental activation risks exposing prior report metadata without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that uploaded attachments are automatically saved as local files, but it does not present this as a clear user-facing warning or consent point. Automatic local persistence of user media can create privacy and data-retention risk, especially for images/videos that may contain incidental sensitive content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill reads the entire local file into memory and sends it to an external analysis service via self.analysis() without any disclosure, consent check, or visible trust boundary in this file. In an agent context, this can cause unintended exfiltration of sensitive local content if a user or upstream workflow provides a confidential path.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code forwards arbitrary remote URLs to the analysis backend as videoUrl with no user-facing disclosure or validation of destination trust. In an agent setting, this can leak user-supplied URLs or trigger backend fetching of attacker-controlled resources, expanding privacy and indirect network-risk exposure.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script resolves and uses an open_id to retrieve remote analysis history, but it does not clearly disclose to the user that a persistent identifier will be used in a remote operation. In a CLI/security context, silent use of an account-linked identifier can expose user activity metadata and create privacy risks, especially because --open-id is hidden from help output.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The CLI sends a local file path or remote URL to a backend analysis function without an explicit notice that data may be transmitted to a remote service. In this skill context, users may reasonably assume a local CLI tool processes files locally; undisclosed transfer of video content or URLs can leak sensitive media, internal paths, or confidential links.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When no identity is supplied, the code generates a default user identifier and writes a corresponding user record to local storage automatically. In an agent skill environment, silently creating persistent identity state can surprise users, complicate attribution, and enable undisclosed tracking or downstream remote actions under a fabricated account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code automatically issues a network login/registration request using a derived username/openId, with silent and register flags enabled, and no user-facing warning. This is dangerous because simply invoking utility-backed HTTP functions can trigger external account creation and identity linkage, exposing local identity data to a remote service without explicit authorization.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
92% confidence
Finding
requests.post(_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2