Fruit Ripeness Grading | 番茄/草莓果实成熟度分级

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill claims to grade fruit ripeness, but its artifacts include unrelated health/face/pet analysis behavior, account creation, identifier handling, token persistence, and an unsafe dependency issue.

Review before installing. Only use this skill if you are comfortable sending images or videos, identifiers such as usernames or phone numbers, and report-history queries to the publisher's cloud service. Do not provide real phone numbers or sensitive media unless the publisher clarifies the health/face-analysis mismatch, removes silent account/token persistence, fixes the dependency issue, and documents deletion and data-retention controls.

SkillSpector (28)

By NVIDIA

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises a simple fruit-ripeness analysis workflow, but its instructions require capabilities including shell execution, network access, file reads/writes, and environment/config access without declaring them. This weakens transparency and reviewability, making it easier for the skill to access local files, save user data, and contact remote services beyond what a user would reasonably expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: There is a substantial mismatch between the declared purpose of image-based fruit grading and the broader behavior described by analysis: account/login flows, persistent token storage, history listing/export, and use of generic external analysis infrastructure. Such scope expansion is dangerous because users may provide agricultural images while the skill actually handles identifiers, persists credentials or tokens, and interacts with unrelated external systems.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The manifest frames the skill as image-based ripeness grading, but the documentation adds cloud-backed history querying and report retrieval features. This undocumented secondary behavior expands data processing scope and can expose user identifiers, prior results, and remote-report access in ways a user would not anticipate from the manifest alone.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill documentation states that uploaded attachments are automatically saved locally and that cloud APIs are used, yet this broader storage and transmission behavior is not clearly reflected in the manifest description. Automatic local persistence plus external transfer increases privacy and data-handling risk, especially for mobile uploads and historical records.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill requires collecting an open-id sourced from config files, API keys, usernames, or phone numbers before analysis or report operations, even though fruit-ripeness grading itself does not inherently require personal identifiers. Using phone numbers or usernames as mandatory identifiers creates unnecessary privacy risk and can tie innocuous image analysis to persistent user profiles and cloud histories.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documented endpoints and scenario code are for pet health analysis, which directly contradicts the stated fruit ripeness grading purpose of the skill. This kind of cross-domain mismatch can cause the agent or integrator to call unintended backend services, exposing unrelated sensitive data or triggering unauthorized operations due to confused-deputy behavior and misrouting.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The analysis request injects a `petType` parameter into a fruit-ripeness grading workflow, which is unrelated to the declared purpose and indicates hidden or repurposed functionality. In this context, that increases the risk of improper data handling, backend behavior being steered by an undocumented parameter, or cross-skill routing to an unintended model/service; the contradiction with the manifest makes it more suspicious, not less.

Intent-Code Divergence

Medium

Confidence: 76% confidence
Finding: The list operation is presented as user-scoped history via the open_id and optional time range, but the implementation ignores those parameters and returns a generic analysis list. In a multi-user deployment, this can expose other users' analysis history or metadata, creating an access-control and privacy weakness even if the data returned is only indirect or summary information.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The referenced API documentation is materially inconsistent with the skill’s stated purpose: it describes video upload / video URL submission for face detection, constitution diagnosis, and health-related analysis rather than fruit ripeness grading. This mismatch is dangerous because it can cause the skill to send user media to an unrelated biometric/health-analysis endpoint, creating a serious risk of unintended collection and processing of sensitive personal data under a misleading agricultural use case.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The implementation parses and prioritizes generic, health, and healthAiResponse payloads instead of fruit-ripeness-specific outputs promised by the manifest. This creates a clear skill/behavior mismatch that can misroute user data to an unrelated analysis backend and produce misleading results, which is especially risky because users may trust harvesting decisions based on incorrect analysis.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The input path handling is oriented around local video files or remote video URLs, while the skill is described as analyzing fruit images from grow-boxes or phones. This mismatch can cause users to submit unintended media, send data to an unexpected workflow, and weaken trust boundaries around what content is uploaded and how it is processed.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The report-listing code extracts health/body-assessment subjects from healthAiResponse or faceAnalysisResponse rather than fruit ripeness results. This indicates cross-domain data mixing and can expose unrelated health-analysis metadata in a fruit-analysis skill, potentially leaking sensitive information and misleading users about the nature of stored reports.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: Accepting arbitrary remote URLs expands the skill's scope beyond its stated purpose and can enable the backend service to fetch attacker-controlled resources. If the downstream analysis service dereferences these URLs server-side, this creates SSRF-style risk, unintended network access, or ingestion of untrusted content without meaningful restriction.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The service exposes generic HTTP and CRUD wrappers that can call arbitrary URLs and perform broad operations unrelated to fruit-ripeness grading. In a skill whose manifest describes image-based grading only, this creates unnecessary network capability and enlarges the attack surface for data exfiltration, unauthorized backend access, or repurposing the skill as a general API client.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The add, edit, delete, http_post, http_put, and http_delete methods provide remote state-changing capabilities without any visible authorization, scoping, or business-rule restriction in this file. Because the advertised skill only analyzes fruit images, these mutation primitives are unjustified and could be abused to alter or delete remote resources if reachable by higher-level code or attacker-controlled inputs.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file defines a generic user-account persistence layer, including user lookup and update operations, even though the stated skill is limited to fruit ripeness analysis. Scope mismatch is dangerous because it introduces unnecessary handling of account data and stateful user-management behavior, increasing privacy and attack surface without any stated need in the skill context.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The User model stores identity and highly sensitive authentication material such as token and open_token, which are unrelated to tomato/strawberry ripeness grading. Collecting and persisting secrets outside the declared purpose creates significant privacy and credential-compromise risk, especially if the local SQLite database is accessed, copied, or backed up insecurely.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The DAO initializes a writable local database and performs schema mutation via ALTER TABLE during object construction, behavior that is not reflected in the skill description. Hidden persistence and schema changes are risky because they create side effects on the host environment, can surprise operators, and may enable unreviewed accumulation of user or operational data.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This shared utility performs phone-login style account provisioning, token retrieval, and token persistence, which is unrelated to fruit ripeness image analysis and materially expands the skill's privilege surface. A user invoking an image-analysis skill would not reasonably expect background account creation and credential handling, creating risk of unauthorized account lifecycle actions and misuse of stored tokens if the environment is compromised.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The helper can create platform user accounts through a phone-login endpoint using a username/openId/mobile value, despite the skill being described as fruit ripeness grading. This mismatch between declared functionality and implemented behavior is dangerous because it enables silent account creation or linkage on behalf of users, potentially causing identity abuse, unauthorized registrations, or hidden platform enrollment.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The utility stores retrieved tokens and open tokens into a local user record, creating persistent authentication material beyond the immediate request. Persisting tokens for a skill that should mainly analyze fruit images increases exposure to credential theft, session hijacking, and cross-skill abuse if local storage or the DAO layer is accessed by another component.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation says uploaded images or videos are automatically saved as local files, but the description does not provide a clear up-front warning to users. Silent local persistence can capture sensitive images, metadata, or filenames and leave them on disk longer than users expect.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Historical report queries require sending user identifiers to a cloud API, but this transmission is not clearly warned about in the skill description. Users may reasonably believe they are performing local image grading, not querying remote services tied to their identity and prior records.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The API documentation instructs users to upload videos or provide public video URLs but contains no privacy notice, consent guidance, retention statement, or warning about possible capture of people/faces. In the context of the mismatched face/health-analysis API, this omission increases the risk that users unknowingly transmit sensitive or personal imagery to a service that may perform biometric or health-related inference.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The code reads local file contents and uploads them, or forwards remote URLs to the analysis service, without any visible notice in this file about transmission, privacy, or third-party processing. In a skill that may process user-captured media from phones or grow environments, silent upload behavior increases privacy and consent risk.

Static analysis

Install untrusted source

Warn

Finding: Install source points to URL shortener or raw IP.

Dep not found on registry

Critical

Finding: 1 package(s) referenced in dependency files do not exist on their public registries: yaml (pypi)

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal