Back to skill

Security audit

Lawn Health Assessment | 草坪枯黄率与杂草密度评估

Security checks across malware telemetry and agentic risk

Overview

This lawn-analysis skill uses a cloud workflow, but it also silently creates or reuses an identity, stores auth tokens locally, and exposes historical reports, so it should be reviewed before installation.

Install only if you are comfortable with lawn images or videos, submitted URLs, account identifiers, report history, and locally stored service tokens being handled by the publisher's external services. Review the identity and data-retention behavior first, especially on shared machines or workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
83% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
81% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises only lawn assessment, but its instructions clearly require shell execution, local file handling, network access, and implicit identity/env usage without declaring those capabilities. This reduces transparency and prevents proper permission gating, which can let a seemingly harmless vision skill perform broader actions than users or the platform expect.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented behavior expands beyond image analysis into cloud-backed history retrieval and report-link generation, which is a scope mismatch from the manifest description. Scope drift is dangerous because users may provide images expecting local analysis while the skill also queries remote services and exposes report URLs tied to prior activity.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill introduces hidden identity handling, silent reuse of a default local user, and automatic user creation even though lawn-image scoring does not require this capability. This creates a risk of cross-user data exposure, unauthorized report association, and opaque statefulness that users cannot verify or consent to.

Intent-Code Divergence

Medium
Confidence
74% confidence
Finding
The unrelated `--pet-type` flag indicates code or interface reuse from another domain, which suggests the script may have undocumented branches or inherited behaviors not aligned with lawn assessment. While not directly exploitable on its own, this inconsistency is a warning sign for hidden functionality and poor security review coverage.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The API documentation is clearly mismatched to the declared lawn-health skill and instead describes pet health analysis endpoints and scene codes. This creates a supply-chain/integration risk: downstream agents or developers may invoke the wrong backend, process unrelated data, or expose/report unintended records, especially because one endpoint appears to export full reports by ID.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The inline text explicitly states the file is for pet health analysis APIs, directly contradicting the skill's lawn-assessment purpose. Such domain contradiction is dangerous because it can mislead maintainers, orchestrators, or automated tooling into connecting this skill to an unrelated service, causing data confusion, unauthorized access to another product area, or accidental disclosure via report retrieval/export endpoints.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The CLI is presented as a lawn-health tool, but the exposed parameters and labels still reference pet semantics and a pet-health list capability. This mismatch is dangerous because it indicates code reuse from an unrelated domain and can hide unexpected behaviors or data flows from users and reviewers, increasing the chance of unintended access to unrelated records or backend functions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill includes a user-specific history listing function even though the stated purpose is single-image/video lawn scoring. Unrelated history retrieval expands the attack surface and may expose prior analyses or user-associated data without a clear business need, especially when combined with hidden identity resolution.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code initializes hidden internal identity resolution through OpenIdUtil even though the skill claims to perform lawn-image analysis. Introducing undisclosed identity binding creates a risk of covert user tracking, cross-user data access, or backend requests being made in the context of an internal identifier the user did not knowingly provide.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation materially deviates from the declared skill purpose: a lawn-image assessment skill actually invokes video analysis behavior. This kind of capability mismatch is dangerous because users, reviewers, and orchestration systems may grant permissions or route data based on the manifest, while the code performs different processing and may transmit or handle unexpected content.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The exposed history-listing function is an undeclared capability outside the stated lawn-health assessment purpose. Undocumented access to prior analysis records can leak user activity or data associations, especially if open_id handling is weak or if callers do not expect the skill to enumerate stored history.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The in-code descriptions and CLI interface present the tool as a video analysis utility, which directly contradicts the manifest's lawn-image assessment claim. Such contradictory behavior undermines trust and security review, and can conceal unexpected networked processing or broaden the operational scope beyond what users consented to.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file exposes generic remote-operation primitives (`add`, `edit`, `delete`, `http_get`, `http_post`, `http_put`, `http_delete`) that can send requests to caller-supplied URLs, which is far broader than the manifest’s stated purpose of analyzing lawn imagery and returning scores. In a skill expected to perform read/compute image assessment, unrestricted outbound CRUD/network capability materially increases the risk of data exfiltration, SSRF-style access to internal services, or unauthorized remote actions if higher-level code passes untrusted inputs into these helpers.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The code provides write-capable remote resource manipulation through generic POST/PUT/DELETE wrappers and CRUD helpers without any visible constraint tying them to lawn-health analysis. Because these methods can be repurposed to modify arbitrary remote resources, the capability is unjustified for a predominantly analytical skill and could be abused by surrounding code or prompt-driven workflows to perform unauthorized state-changing actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This module initializes a local SQLite database and creates/updates tables despite the skill being described as lawn-image health assessment. That capability is out of scope for the stated purpose and creates persistent local state that could retain user or operational data unnecessarily, increasing privacy and attack surface.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file implements broad CRUD operations and a user DAO for account records rather than image-analysis functions relevant to lawn health. In the context of a lawn assessment skill, this constitutes unjustified data-management capability that could be repurposed to create, modify, enumerate, or delete local user records, making the mismatch materially suspicious and more dangerous.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The User model persists identity and credential-adjacent fields including username, realname, email, token, and open_token, which are not justified by lawn-health image scoring. Storing such sensitive fields inside this skill creates unnecessary confidentiality risk, potential token leakage, and a covert user-tracking capability wholly unrelated to the declared function.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The path-handling documentation claims per-agent isolation, but the constructor comments and logic emphasize forcing all paths into a shared workspace database. Ambiguity around isolation boundaries can lead to unintended cross-skill or cross-context data mixing, which is especially problematic when the same module stores user identities and tokens.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The utility layer performs undisclosed remote account provisioning, token acquisition, token persistence, and authenticated API traffic that are unrelated to the skill's stated lawn-image assessment purpose. This creates a hidden trust boundary: invoking the skill can cause user identity creation and credential handling against external services, enabling covert data transmission and account side effects beyond expected functionality.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code inspects agent/workspace layout and manages local skill/data directories despite the skill being described as a lawn health analyzer. While not inherently malicious, this expands the capability surface to environment discovery and filesystem manipulation unrelated to the declared function, increasing the risk of unintended data access or cross-workspace interference if reused elsewhere.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill states that uploaded attachments are automatically saved locally, but this behavior is not prominently disclosed at the point users would understand the privacy impact. Silent local persistence increases the risk of retaining sensitive images or videos longer than expected and broadens the consequences of host compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill accepts network URLs and states that an external API service will fetch them, but this data flow is not clearly surfaced as a privacy and trust boundary. Users may unintentionally cause third-party retrieval of URLs or content, which can leak access patterns, sensitive resource locations, or metadata.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code resolves an internal user identity without clear user-facing notice, and the related CLI option is suppressed from help output. Hidden identity handling undermines informed consent and transparency, and it can mask collection or use of account-linked data in a tool that appears to be a simple local/media analysis utility.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2