Back to skill

Security audit

Orchid Growth Status Detection (Shoots / Spike / Roots) | 兰花新芽/花梗/根系状态识别

Security checks across malware telemetry and agentic risk

Overview

The skill does orchid media analysis, but it also silently creates or reuses an identity, logs into a remote service, stores tokens locally, and can retrieve account-linked report history.

Review before installing if you are not comfortable with media being sent to a remote service and with the skill creating or reusing an internal account identity. Avoid using it with private home, greenhouse, or personally identifying images unless you accept the cloud processing, local token storage, and report-history behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (29)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
81% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
79% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions while its documented behavior and associated scripts imply shell execution, local file read/write, environment use, and network access. This mismatch prevents informed consent and review, and can hide materially risky capabilities such as local persistence and outbound data transfer.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as orchid image analysis, but the described implementation also performs account bootstrap, persistent identity resolution, local SQLite storage, and history-report retrieval tied to a user identity. That behavior expansion is dangerous because users may provide images expecting one-off local analysis while the skill silently creates persistent records and interacts with remote services beyond the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documentation broadens the skill from image analysis into cloud-based history lookup and report-link retrieval, which introduces extra remote data flows and possible exposure of prior reports. Even if intended as convenience functionality, undocumented expansion of scope increases privacy and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Automatically creating and reusing a default local identity is unnecessary for basic orchid image analysis and creates silent persistence that can link activity across sessions. If combined with cloud report queries or backend login, it can cause unintended account correlation, retention of user data, and cross-user mix-ups on shared systems.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script includes a hidden identity/history feature unrelated to the advertised orchid-analysis function: it resolves an internal open_id and supports a concealed --list mode to retrieve prior analysis reports. This creates an unexpected data-access surface and can expose user-linked history without clear consent, documentation, or access-control visibility, which is especially risky for a consumer-facing image analysis skill.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The skill manifest describes HD image-based orchid analysis, but the implementation explicitly accepts remote video URLs and forwards them to a backend service. This capability mismatch expands the data types and data sources processed by the skill, increasing the risk of unintended remote content ingestion, privacy exposure, and backend abuse if users or agents trust the manifest as the security boundary.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The code validates only file extension and size, then reads the full local file into memory and uploads it to a backend analysis API without enforcing orchid-image-specific semantics in this module. That creates a capability gap where arbitrary supported local files may be exfiltrated to a remote service under the guise of orchid analysis, which is especially risky in agent environments where file paths may be supplied indirectly.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation materially differs from the advertised skill purpose: the manifest describes orchid image growth-status detection, but the code exposes a generic video-analysis workflow and a history-listing function tied to an open ID. This kind of capability mismatch is dangerous because users may provide plant images expecting local or narrowly scoped processing, while the skill can instead process arbitrary video inputs and access historical analysis data, increasing the risk of unintended data exposure and misuse.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code's docstring and CLI help explicitly describe a video analysis tool, which conflicts with the manifest's orchid image diagnosis description. This inconsistency is a supply-chain and transparency issue: it can mislead reviewers and users about what data types are accepted, what processing occurs, and whether the skill is operating within its declared permissions and purpose.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This file implements a generic API wrapper with broad paging, CRUD, and arbitrary HTTP methods that are not constrained to orchid-analysis functionality. In a skill whose stated purpose is image-based orchid health assessment, this expands the attack surface and could enable unintended access to unrelated backend actions if other components pass attacker-controlled URLs or payloads.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The presence of add, edit, delete, and arbitrary PUT/DELETE helpers gives the skill capability to modify or remove remote resources without any visible restriction tied to orchid image analysis. If invoked by untrusted inputs or misused by other code, these methods could perform destructive actions against backend systems unrelated to the advertised feature set.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The shared configuration class reads user-identifying environment variables such as sender open IDs and usernames even though this orchid-analysis skill does not need identity data to perform image-based plant assessment. This creates unnecessary access to personal identifiers, expanding the privacy attack surface and enabling unintended propagation or later misuse of sensitive data across unrelated skills.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This file implements generic persistence for user accounts, usernames, emails, and token-bearing records, which is unrelated to orchid growth analysis. In a narrowly scoped image-analysis skill, hidden account-management capability expands the attack surface and creates unjustified opportunities for collection, storage, and mutation of user identity data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The User model stores authentication-adjacent artifacts such as token and open_token despite the skill being for orchid image analysis. Unnecessary handling of secrets or bearer-style credentials in an unrelated skill materially increases risk of credential leakage, abuse, or unauthorized cross-feature persistence.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file for an orchid growth-status analysis skill contains a generic `ai_chat` capability that is unrelated to the stated image-analysis purpose. Even though the subprocess execution is currently commented out, embedding agent-execution functionality in a domain-specific skill expands the attack surface and creates a latent path for prompt-driven command or agent invocation if later enabled or inherited elsewhere.

Intent-Code Divergence

High
Confidence
87% confidence
Finding
The docstring claims the method invokes an external `openclaw agent` via subprocess, but the implementation does not do so and instead uses a placeholder dictionary. This mismatch is dangerous because it obscures the real behavior of security-sensitive code, can mislead reviewers into approving dormant execution logic, and suggests the method may be a stub for later activation without proper controls.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The utility code performs authenticated external API access, token handling, silent account provisioning, and local persistence of user identity data, which is unrelated to orchid image analysis. This creates an unnecessary capability to transmit data off-device and bind the user/workspace to a remote service without clear, purpose-limited consent, greatly expanding the attack surface.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code inspects workspace paths and environment variables, reads identity material from data/smyx-api-key.txt, and creates persistent default user identities in a local database. For an orchid growth-status detector, this is unjustified privileged behavior and can silently fingerprint the environment and establish durable identifiers without the user's awareness.

Vague Triggers

Medium
Confidence
86% confidence
Finding
A default trigger that activates on generic orchid image-analysis requests is overly broad and can cause the skill to run automatically on inputs the user did not intend to send through this workflow. In this skill, broad triggering is more concerning because execution may include file handling, shell/script invocation, network submission, and identity-linked backend actions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The historical-report trigger relies on broad natural-language phrases and may activate when a user is merely discussing reports rather than requesting a cloud lookup. Because history queries are identity-linked and retrieve remote data, accidental activation can expose prior report metadata or perform unintended backend calls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code opens a local file, reads its contents, and sends it to a remote analysis service, but there is no user-facing notice, consent flow, or disclosure in the skill logic indicating that local data will leave the device. In a consumer plant-care context, users are unlikely to expect broad file upload behavior beyond obvious image analysis, so silent transmission creates meaningful privacy and trust risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The analysis path passes a local file path or remote URL into skill.get_output_analysis without any explicit user-facing notice that content may be sent to an external service. In this skill context, users expect horticulture image analysis, so silent network transmission of local media or externally referenced content creates privacy and data-governance risk, especially if home, greenhouse, or personally identifiable visual data is included.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The delete helper performs a remote destructive action with no visible safeguards, confirmations, or contextual restriction in this file. In a skill meant for orchid growth assessment, undeclared deletion capability is especially suspicious because it is unnecessary to the advertised purpose and could be abused to remove remote data or records.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
skills/smyx_common/scripts/config-dev.yaml:2