植物生长阶段识别技能

Security checks across malware telemetry and agentic risk

Overview

This plant-analysis skill has enough under-disclosed account, token, cloud history, and mismatched human-analysis behavior that users should review it before installing.

Install only if you are comfortable sending plant media or media URLs plus a user identifier to the publisher's cloud service, and with the skill creating or using an account and storing returned tokens locally. Prefer a corrected version that removes the stale human health/face-analysis references, documents retention and report-history behavior, scopes URL fetching, and avoids local token persistence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (28)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) if offset: query = query.offset(offset)
Confidence: 83% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Dynamic attribute access via getattr()

Low

Category: Dangerous Code Execution
Content: if filters: for key, value in filters.items(): query = query.filter(getattr(self.__model__, key) == value) return query.scalar() finally:
Confidence: 83% confidence
Finding: query = query.filter(getattr(self.__model__, key) == value)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script accepts an arbitrary --open-id and passes it directly to skill.get_output_analysis_list(open_id=open_id), enabling enumeration or retrieval of another user's analysis history if backend authorization is weak or absent. In a plant-growth recognition skill, cross-user list access is not necessary to the stated purpose, so this expands data exposure beyond expected functionality and increases privacy risk.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The documented endpoint and response schema describe face detection and human health/constitution diagnosis, which directly conflicts with the stated plant growth stage recognition purpose of the skill. This mismatch is dangerous because it can conceal undisclosed collection or transmission of human biometric and sensitive health-related data under a benign agricultural label, creating privacy, compliance, and trust risks.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The response fields explicitly mention face detection, organ-condition assessment, constitution diagnosis, and health suggestions, which are unrelated to plant lifecycle analysis. In the context of a plant-recognition skill, this contradiction strongly suggests either misleading documentation or an underlying capability mismatch that could route users' video data into sensitive human-analysis workflows without informed awareness.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill advertises plant growth stage recognition/analysis, but this API wrapper also exposes generic CRUD-style operations such as page, list, add, edit, and delete. That scope mismatch increases the attack surface and enables backend record manipulation that is not necessary for image analysis, creating a capability expansion risk if the skill is invoked by an agent or user with broader access than intended.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The edit and delete methods allow modification and deletion of backend resources, including deletion by cameraSn, even though such capabilities are unrelated to the stated recognition function. In an agent skill context, unexpected write/delete operations are especially dangerous because they can be abused through prompt-driven tool use or misconfiguration to tamper with operational data or remove records.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The code implements generic video analysis and history retrieval behavior rather than plant growth stage recognition as advertised in the skill metadata. This mismatch is dangerous because it can cause users and platform reviewers to trust the skill under a narrow agricultural purpose while it actually sends arbitrary video inputs and user-linked history requests to backend functionality with broader scope.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The CLI explicitly describes itself as a generic 'video analysis tool,' which contradicts the manifest's specialized plant growth stage recognition claim. This discrepancy increases security risk because deceptive or inaccurate interface text can hide broader-than-declared capabilities, undermining informed consent, policy review, and least-privilege expectations for the skill.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This file implements a generic API wrapper with arbitrary URL-based HTTP operations and CRUD-like methods that are not constrained to plant growth stage recognition. In the context of an analysis-focused agriculture skill, this materially expands capability to perform unrelated external network access and remote state changes, increasing the risk of misuse, data exfiltration, or hidden side effects.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The add, edit, delete, and generic http_* methods expose mutation-capable network behavior that is unjustified by the stated purpose of recognizing plant growth stages. Because these methods accept caller-supplied URLs and parameters, they can be repurposed to interact with arbitrary services and perform destructive or unauthorized remote actions.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file implements a generic user/account persistence layer, including token-related fields, despite the skill claiming to perform plant growth stage recognition. This functionality mismatch is suspicious because unrelated credential/account handling increases the chance of covert data collection, unauthorized persistence, or hidden side effects outside the advertised computer-vision purpose.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The User model stores usernames, email addresses, tokens, and open tokens, which are sensitive account artifacts not justified by a plant-growth analysis skill. In this context, such data handling materially raises privacy and credential-theft risk because the functionality is unrelated to the stated purpose and may persist secrets locally without user awareness.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The DAO automatically creates a local SQLite database and performs schema mutation during initialization, behavior unrelated to simple plant image analysis. In this skill context, hidden persistence and automatic schema changes are more dangerous because they create unadvertised side effects and a foothold for retaining user or system data beyond the expected CV workflow.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This utility performs authenticated user lookup, auto-provisioning via /sys/phoneLogin, token persistence, and generic remote API mutation logic that is unrelated to plant growth stage recognition. In the context of a CV/analysis skill, hidden account creation and broad API capabilities expand the attack surface and can trigger unauthorized backend actions using user-linked identities or service secrets.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code injects payment/充值 upsell behavior when a 402 condition occurs, steering the user to install another skill and fund an account. While not code execution by itself, this is functionality unrelated to plant analysis and creates a risky cross-skill monetization path that could be abused for deceptive prompting or unauthorized commercial flows.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The history-report trigger phrases are broad enough that normal conversational requests may unintentionally invoke cloud history listing. In this skill, that is more dangerous because history access is tied to user identifiers and report retrieval, so an accidental trigger could expose prior analysis metadata or links the user did not intend to request.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The default activation rule is vague and may cause the skill to run whenever any plant image/video is mentioned, without clear gating on user intent. Because execution includes file handling and remote API submission, ambiguous triggering increases the risk of sending attachments or processing content without sufficiently explicit user consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation instructs users to upload videos or provide public video URLs for analysis and shows outputs involving faces and health-related inferences, yet it provides no privacy notice, consent requirement, retention policy, or data-handling constraints. That is risky because biometric and health-adjacent data are highly sensitive, and silent transmission to a remote API can expose users to surveillance, regulatory violations, and unauthorized secondary use.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The code reads arbitrary local file content into memory and uploads it to an external analysis service without any user-visible disclosure or confirmation step in this component. In a skill ecosystem, that creates a privacy and data-handling risk because users may not realize local files are being transmitted off-host, especially when the manifest emphasizes plant-stage recognition rather than file upload behavior.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill requires an open_id/user identifier and uses it for remote analysis list retrieval and related operations without any explicit privacy notice, minimization, or disclosure of how the identifier is transmitted and stored. In this context, the risk is elevated because the skill already appears to expose broader backend video-analysis functionality than advertised, making silent collection of user-linked identifiers more privacy-sensitive.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The delete method directly performs a remote POST-backed delete action with no visible confirmation, safety checks, or scope restriction. In a skill whose declared purpose is analysis rather than remote resource administration, this creates unnecessary risk of unintended or abusive destructive operations.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The save routine overwrites any path provided with no validation, no backup, and no user confirmation. If an attacker can influence the path or config contents through surrounding code, this could clobber arbitrary application files, corrupt configuration, or facilitate denial of service; the broad exception handling would also hide evidence of misuse or failure.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Initializing the DAO creates or opens a SQLite database file in a workspace-derived path without any explicit notice or confirmation. In a skill advertised for plant growth recognition, silent local persistence can surprise operators, create undeclared data retention, and increase forensic or privacy risk if sensitive information is later written there.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This code automatically executes an ALTER TABLE on startup, modifying local schema without user-facing warning. Automatic schema mutation is risky in a mismatched skill because it changes system state unexpectedly and can enable hidden expansion of stored data, especially when tied to account records.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal