ClawHub

Aquarium Plant Health Monitor | 水族箱水草健康监测

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill claims to monitor aquarium plant health, but its code and docs add broad cloud, account, token-storage, history, and generic video/health-analysis behavior that users should review before installing.

Install only if you are comfortable sending aquarium images or videos, supplied URLs, and an open-id/username/phone-like identifier to the vendor's cloud service, and if you accept local plaintext token storage. Review the backend/API documentation and dependency list first; the package should narrow its API surface, remove or justify account/payment/token persistence, and replace the bad yaml dependency before routine use.

SkillSpector (28)

By NVIDIA

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            if offset:
                query = query.offset(offset)
Confidence
84% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
if filters:
                for key, value in filters.items():
                    query = query.filter(getattr(self.__model__, key) == value)

            return query.scalar()
        finally:
Confidence
84% confidence
Finding
query = query.filter(getattr(self.__model__, key) == value)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill’s stated purpose is visual plant health assessment, but it also auto-triggers cloud history queries tied to a user open-id. This is a scope expansion into account-linked data retrieval that users may not reasonably expect from the manifest description, increasing privacy and data-handling risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation extends beyond image diagnosis into persistence and retrieval workflows using open-id and remote APIs, including mandatory identity handling before execution. This materially changes the data sensitivity of the skill by coupling image analysis with user-linked records and external services.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read local configuration files to obtain an open-id/api-key for remote account-linked operations. Accessing workspace config for credentials or identifiers that are unrelated to the immediate user request risks secret exposure, cross-context credential reuse, and unintended data access.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This skill exposes record-management actions such as add, edit, list, page, and delete that are broader than the stated purpose of aquarium plant image analysis. In a skill expected to only analyze images and return health assessments, these extra capabilities expand the attack surface and could enable unauthorized modification or enumeration of backend records if invoked by an agent or user unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The delete(cameraSn) method provides a destructive backend action that is not justified by the described plant-health monitoring workflow. If exposed through the skill without strong access control and confirmation, it could be abused to remove device- or analysis-related records, causing data loss or service disruption.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documented response schema is clearly for human face detection and constitution/organ diagnosis, which is unrelated to aquarium plant health monitoring. This mismatch strongly suggests the skill may send user media to an endpoint performing a different analysis than promised, creating a serious transparency, misuse, and privacy risk if users upload tank videos that may also contain people or other unintended content.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The API contract accepts generic video uploads or public video URLs and does not constrain input to aquarium plant images, while the surrounding skill claims specialized aquatic plant health analysis. In context, this discrepancy increases the likelihood that the skill is misrepresented or overly broad, enabling collection and off-platform processing of arbitrary user media under a misleading safety/utility claim.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implementation materially diverges from the declared skill purpose: the manifest promises aquarium plant image health analysis, but the code performs generic video analysis through a shared skill backend. This kind of capability mismatch is dangerous because it can mislead reviewers and users about what data is collected and what remote processing actually occurs, increasing the risk of hidden or overbroad functionality.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The history-listing feature is unrelated to the stated plant-health analysis function and introduces an additional data-access capability not disclosed in the skill description. Undocumented access to prior analysis records can expose user activity or previously submitted media, especially since the code keys behavior off an externally supplied open_id.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The inline docs and CLI repeatedly describe a video-analysis tool, directly contradicting the manifest's aquarium image-analysis purpose. This inconsistency is security-relevant because it signals that the package may be repurposed code with undeclared capabilities, reducing trust in the declared scope and making accidental or intentional misuse harder to detect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file exposes generic CRUD helpers and arbitrary HTTP verb wrappers that are not constrained to aquarium plant image analysis. This broad network capability enables the skill or any caller to interact with unrelated remote endpoints, including modifying or deleting resources, which materially exceeds the declared purpose and increases abuse potential.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
From get_download_url through the generic HTTP methods, the code supports broad remote network operations and resource management rather than only local or narrowly scoped analysis behavior. In the context of a skill advertised as aquarium plant health monitoring, this mismatch is risky because it provides a reusable transport layer that could exfiltrate data or invoke unintended external services.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
This module defines storage for token and open_token fields in a local SQLite user table despite the skill being described as aquarium plant image analysis. Unnecessary collection and persistence of authentication-like secrets increases credential exposure risk, especially because there is no evidence of encryption, hashing, lifecycle controls, or need tied to the declared function.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility implements a broad remote API client with automatic user lookup/provisioning, token acquisition, header injection, retry logic, and support for arbitrary HTTP methods. That capability is far beyond the declared aquarium plant image-analysis purpose and creates an unexpected trust boundary: a seemingly narrow vision skill can initiate account actions and communicate with unrelated backend services using stored credentials.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code silently performs phone-login/account creation behavior and handles payment/recharge flows, which are unrelated to aquarium plant monitoring. This can expose user identifiers to external services and trigger account-affecting operations without clear disclosure, expanding privacy and abuse risk considerably for a low-risk image-analysis skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Exposing generic POST/PUT/DELETE/GET helpers allows the skill to perform broad network operations, including destructive requests, despite the manifest describing only plant image analysis. Even if intended as shared infrastructure, this mismatch increases the chance of hidden capabilities, misuse, or later feature creep into unauthorized actions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger conditions include broad, everyday phrases and default activation on uploaded media, which increases the chance of the skill running when the user did not intend cloud-backed plant diagnosis. Overbroad activation is dangerous here because the skill also saves files and may perform networked, identity-linked operations.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill says uploaded files are automatically saved locally and history queries are performed against cloud services, but it does not present a clear upfront warning that images/videos and identifiers may be stored or transmitted off-device. This undermines informed consent and can expose sensitive images, metadata, and user-linked history.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that users must upload files or provide public video URLs to a remote API but does not warn that this transfers user content to an external server for analysis. That omission undermines informed consent and can expose sensitive footage, especially because aquarium or home videos may incidentally capture people, interiors, or location-revealing details.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads arbitrary local file contents into memory and sends them to an external analysis service via `self.analysis(...)` without any user-facing disclosure or explicit consent flow in this file. In a skill marketed as aquarium plant monitoring, users may reasonably not expect local files to be transmitted off-device, creating a privacy and data-handling risk if sensitive files are selected or paths are confused.

Missing User Warnings

Low
Confidence
88% confidence
Finding
When `input_path` is an HTTP(S) URL, the code forwards it directly as `videoUrl` to the backend service without warning the user that the URL will be shared externally. This can expose sensitive pre-signed URLs, internal resource locations, or user-controlled endpoints to third-party services, especially if users assume the skill processes content locally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The delete method is a thin wrapper around an HTTP POST request with no visible confirmation, authorization checks, or endpoint restriction. Because the skill context does not require generic destructive remote operations, this makes accidental misuse or malicious invocation more concerning and could lead to unauthorized deletion of remote resources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The model includes plaintext token-bearing fields without any visible protection or disclosure. Persisting secrets in a local SQLite database materially raises the risk of credential theft from local file access, backups, debugging artifacts, or downstream misuse, especially because the skill's stated purpose does not justify handling such credentials.

Static analysis

Install untrusted source

Warn
Finding
Install source points to URL shortener or raw IP.

Dep not found on registry

Critical
Finding
1 package(s) referenced in dependency files do not exist on their public registries: yaml (pypi)

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal