Security audit

Plant Disease Recognition Skill | 植物病害识别技能

Security checks across malware telemetry and agentic risk

Overview

The skill can perform plant image/video analysis, but it also silently creates or reuses account identities, stores tokens locally, and sends identifiers to external services, so it needs Review before use.

Install only after reviewing the account and data-flow implications. This skill sends plant photos/videos or URLs to external lifeemergence.com services, can create or reuse an internal account, can store tokens in a local SQLite database, and can query cloud history linked to that identity. Users who only want one-time offline plant diagnosis should avoid it or require explicit consent, scoped credentials, and clear retention/deletion terms first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (23)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises substantial capabilities including shell execution, network access, local file read/write, and environment access, but does not declare permissions or bound those behaviors. That weakens reviewability and least-privilege controls, making it easier for the skill to perform sensitive actions beyond what a plant-disease analysis feature would reasonably require.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior goes materially beyond plant disease recognition by including history listing, persistent identity creation/reuse, local identity reads, and external authentication/token handling. This mismatch is dangerous because users and operators may grant trust appropriate for an image-analysis skill while the skill actually performs account-linked data access and persistence operations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Automatic creation or reuse of persistent user identity, especially with identifiers derived from username or phone-related data, is unrelated to the core task of recognizing plant disease from media. In this context, hidden identity linkage increases privacy risk, enables cross-session tracking, and expands the blast radius if local storage or remote APIs are compromised.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The privacy section claims no directly identifying plaintext is stored, yet other sections describe use of internal identity parameters and identifiers derived from username/phone data. Such inconsistency is dangerous because it can mislead users and reviewers about actual data practices, undermining informed consent and masking privacy-sensitive processing.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The implementation exposes a generic video-analysis and analysis-history workflow that does not match the declared plant-disease recognition purpose. This kind of capability mismatch is dangerous because users and platforms may grant the skill trust, data access, or execution rights based on the benign agricultural description while the code actually processes arbitrary video inputs and accesses account-linked history.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The history-listing capability retrieves prior analysis data tied to an open_id, which is unrelated to the stated plant disease diagnosis purpose. Even if intended for convenience, unnecessary access to user-linked historical data increases privacy risk and broadens the attack surface if identifiers are misused or exposed.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The CLI and manifest describe inconsistent capabilities: the code documents MP4 video input while the skill metadata claims support for both images and videos with disease-specific diagnosis. This mismatch can mislead users and reviewers about what data types are handled and what the skill actually does, which is especially risky when the implementation already appears broader than the declared purpose.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This module exposes generic HTTP and CRUD wrappers that can call arbitrary URLs and perform add, edit, delete, GET, POST, PUT, and DELETE operations, which is far broader than a plant-disease recognition skill needs. In the context of a narrowly scoped diagnostic skill, this creates an unnecessary capability surface that could be abused by other components to access or manipulate remote services, increasing the risk of unauthorized data access or unintended side effects.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The get_user_by_username function introduces user-account lookup capability unrelated to plant disease analysis. This can enable user enumeration or retrieval of account-related data through a skill that should only process agricultural imagery, making the mismatch in capability especially suspicious and dangerous in this context.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This utility file implements open-id resolution, local identity reuse, database-backed default user creation, and workspace credential harvesting, which are unrelated to a plant-disease recognition skill. That hidden identity-provisioning behavior expands the skill's privileges and allows it to assume or create user identities without clear user consent, making abuse of platform resources and unauthorized attribution much more likely.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The HTTP helper performs authentication bootstrap, token recovery, user lookup, remote login/registration, token persistence, and authenticated API calls well beyond the declared purpose of image/video disease diagnosis. In the context of a plant-analysis skill, this is especially dangerous because it creates a covert channel for account operations and authenticated network activity unrelated to the advertised function.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code reads an internal identifier from a workspace file and falls back to a local user database to reuse existing identity data, none of which is justified by plant disease recognition. This can silently bind actions to another local identity and leak or misuse internal account context across skills or sessions.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: This code can auto-register or silently log in a user against an external endpoint using constructed identity data, including openId and mobile fields, which is unrelated to plant disease recognition. Silent account creation/login is a severe trust violation because it can create external accounts, transmit identifiers off-device, and obtain tokens without informed user action.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The history-report trigger phrases are broad enough to activate report-query behavior on ordinary user requests that merely mention reports or analysis. In a skill that can access cloud history tied to an internal identity, overbroad triggers raise the risk of unintended data retrieval and exposure of prior records.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The default activation rule is phrased so broadly that the skill may auto-run whenever a user provides plant imagery and asks for help, even if they did not specifically request this skill's workflow. Overbroad auto-invocation is risky here because the skill can save files locally and call external services, causing unintended processing and data transfer.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The code reads the full local file and submits it to a remote analysis service without any user-facing disclosure, consent prompt, or visible indication in this file. In a skill that processes user-supplied media, silent remote upload can expose sensitive images/videos, metadata, or proprietary agricultural content to external services.

Missing User Warnings

Medium

Confidence: 72% confidence
Finding: The code automatically performs schema-altering operations against an existing local database on initialization, with no confirmation, backup, or integrity checks. While not an injection issue, silent mutation of persisted state can damage availability or data integrity if the database is shared, unexpected, or externally manipulated, and the skill context does not require hidden schema changes to function safely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The function reads a sensitive local identifier from data/smyx-api-key.txt without any visible disclosure, despite the skill being presented as a plant-disease analyzer. Hidden harvesting of local identity data undermines user expectations and can facilitate unauthorized account binding or outbound identity transmission.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The network request sends user identity values such as openId, mobile, and source to an external endpoint without any user-facing warning. In a plant disease skill, this mismatch between stated purpose and actual data transmission makes the behavior substantially more dangerous because users would not reasonably expect account data to be exfiltrated during diagnosis.

External Transmission

Medium

Category: Data Exfiltration
Content: "source": ConstantEnum.DEFAULT__SKILL_HUB_NAME } try: _response = requests.post(_url, json=_data) if _response.status_code == 200: _response_json = _response.json() if _response_json and _response_json.get("success"):
Confidence: 97% confidence
Finding: requests.post(_url, json=

Unvalidated Output Injection

High

Category: Output Handling
Content: try: # 执行命令 # result = subprocess.run( # cmd, # capture_output=True, # text=True,
Confidence: 95% confidence
Finding: subprocess.run( # cmd, # capture_output

Hidden Instructions

High

Category: Prompt Injection
Content: |---|---| | 📚 文档读取 | 仅在需要时读取参考文档，保持上下文简洁 | | 📁 格式支持 | 支持格式：视频支持 mp4/avi/mov，图片支持 jpg/jpeg/png，最大 10MB | | 🧑‍⚖️ 结果性质 | 分析结果仅供病害诊断参考，具体防治请结合实际情况或咨询植保专业人员 | | 🚫 脚本限制 | 禁止临时生成脚本，只能用技能本身的脚本 | | 🌐 网络地址 | 传入的网络地址参数，不需要下载本地，默认地址都是公网地址，api 服务会自动下载 | | 📜 报告输出 | 当显示历史分析报告清单的时候，从接口返回 json 数据中提取字段作为超链接地址，且自动转化为如下 Markdown |
Confidence: 89% confidence
Finding: ‍

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High

Category: YARA Match
Content: --- name: "plant-disease-recognition-analysis" description: "Accurately identifies plant diseases based on computer vision and deep learning, supports both image and video input, outputs structured diagnostic reports including disease type, cause and prevention suggestions. | 植物病害识别技能，基于计算机视觉与深度学习，支持视频/图片输入，精准识别植物病害类型，输出包含病害名称、致病原因、防治建议的结构化诊断报告，为农业生产和园艺养护提供病害预警" version: "1.0.5" license: "MIT-0" ---
Confidence: 78% confidence
Finding: description:; ‍

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal