ClawHub

植物枯萎监测技能

Security checks across malware telemetry and agentic risk

Overview

This plant-analysis skill needs Review because it uploads media and identifiers to external services while also containing mismatched health/face-analysis code paths and under-disclosed account token persistence.

Install only if you trust the publisher and the LifeEmergence/SMYX services. Use plant-only media that does not include people, private locations, or sensitive operations, and do not provide a phone number, open-id, or API key unless you are comfortable with account creation, cloud report history, and local token storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to read local configuration files and treat an api-key value as an open-id, which is a credential access pattern unrelated to ordinary plant-image analysis. This is dangerous because it encourages harvesting secrets from the local workspace and repurposing them for API calls, potentially exposing or misusing credentials without explicit user authorization.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The referenced API documentation is materially inconsistent with the advertised skill purpose: it describes generic video upload and analysis for human face detection and health diagnosis, not plant wilting monitoring. In a plant-analysis skill, this mismatch is dangerous because it can conceal undisclosed collection or processing of human biometric and health-related data under a benign agricultural pretext.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Human face detection and constitution/organ-condition diagnosis are unjustified and highly sensitive capabilities for a plant wilting monitoring skill. This creates a strong indicator of covert biometric and health-data processing, which could enable surveillance, profiling, or collection of regulated sensitive personal data without informed consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code materially conflicts with the declared plant-wilting purpose: it accepts video input, processes generic analysis responses, and explicitly handles fields such as `healthAiResponse`. This indicates skill/function mismatch and creates a data-scope violation risk, where users expecting plant analysis may instead send data into a broader health-analysis pipeline or receive unrelated sensitive outputs.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The report-listing functionality enumerates historical records and extracts `healthAiResponse` and `faceAnalysisResponse` subjects, which are unrelated to plant monitoring and may expose sensitive human-analysis history. In a plant-wilting skill, this broadens access to unrelated prior reports and increases the chance of unauthorized disclosure of personal or medical-like information.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation behavior materially diverges from the declared skill purpose: instead of plant-wilting monitoring, it acts as a generic video analysis/listing client. This kind of capability mismatch is dangerous because it can mislead users and reviewers about what data is processed and where it is sent, enabling unauthorized collection or analysis under a benign-looking skill label.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The user-facing help text and documentation consistently describe a video analysis tool, contradicting the advertised plant-wilting monitoring function. This discrepancy increases the risk of deceptive operation and user consent failures, because operators may supply unrelated or sensitive media believing they are invoking a narrowly scoped agricultural tool.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements persistent user-account and token storage in a skill whose stated purpose is plant wilting monitoring, creating a strong scope mismatch. Hidden or unjustified identity/token handling increases the chance of unauthorized data collection, credential retention, and privacy exposure, especially because sensitive fields like token and open_token are stored locally.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code derives a workspace path from the environment and silently creates a local SQLite database under a shared data directory, then uses it to persist user and token data without clear relation to the skill's stated function. In an agent environment, unnecessary local persistence can leak credentials across runs, widen the data exposure surface, and make forensic review harder because storage happens implicitly.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This utility contains broad remote API, authentication, token handling, and account-provisioning behavior that is not justified by a plant wilting analysis skill. Such hidden cross-domain capabilities expand the attack surface, can exfiltrate identifiers and credentials, and enable unintended actions on unrelated backend services.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The helper can create or log in users against a health-platform endpoint using a username/mobile/openId, which is unrelated to plant monitoring. In this context, that is dangerous because the skill can silently provision accounts and transmit identity data to an external service without a clear user-driven need.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The recharge/payment workflow is unrelated to plant wilting analysis and indicates hidden monetization behavior embedded in a shared utility. This can mislead users, mask unauthorized dependency on paid services, and suggests the skill is wired to external billing state rather than only performing local or narrowly scoped analysis.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad automatic trigger keywords for historical report queries can cause unintended execution of cloud lookups when a user is speaking generally rather than requesting account-linked history. In this skill, that is more dangerous because report queries require identifiers and remote API access, so misfires may expose historical report metadata or perform unintended account-scoped actions.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The default-trigger rule is overly broad and lacks clear negative boundaries, so the skill may auto-activate whenever a user shares plant imagery even if they did not intend remote analysis or file persistence. In a skill that uploads data and accesses account-linked history, ambiguous auto-triggering raises privacy and consent risks beyond a normal benign classifier.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill mandates automatically saving uploaded attachments as local files without clearly notifying the user or obtaining consent. This is dangerous because uploaded images or videos may contain sensitive metadata or proprietary agricultural information, and silent local persistence increases the risk of unintended retention, later disclosure, or access by other components.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API accepts uploaded videos and public video URLs but provides no warning or controls regarding privacy, consent, retention, or handling of potentially sensitive visual data. Given that the same document describes face detection and health diagnosis, this omission increases the risk of unauthorized submission and processing of biometric and health-related content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The delete method performs a destructive API call based only on a provided camera serial number and shows no local confirmation, safeguard, or indication of authorization enforcement. If exposed through the skill without adequate upstream controls, this could allow accidental or unauthorized deletion of camera or monitoring records, disrupting plant-monitoring operations and data integrity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill reads the entire local file and transmits it to the analysis API, but this code shows no user-facing notice, consent flow, or data-minimization control. In combination with the apparent mismatch between declared plant monitoring and actual generic/health-analysis behavior, silent upload of local media becomes more dangerous because users may unknowingly send sensitive content to an external service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code accepts either a local file path or remote URL and passes it to a back-end analysis method without any explicit notice that the content may be transmitted to an external service. This is dangerous because users may unknowingly upload sensitive local media or cause the system to fetch remote content, creating privacy, data-governance, and possible SSRF-style exposure depending on the downstream implementation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Enabling HTTPConnection debug output and urllib3 debug logging can expose full request/response details, including headers, tokens, and sensitive payloads, into logs. In a utility that sends authentication material, debug mode materially increases the chance of credential leakage and downstream compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The request helper automatically attaches tokens, API keys, tenant identifiers, platform metadata, and username data to outbound requests without clear per-request consent or minimization. Because this skill is supposed to monitor plant wilting, transmitting unrelated identity and auth data to remote services is especially unjustified and increases privacy and account-compromise risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal