Security audit

Xiao Chuang You Garden

Security checks across malware telemetry and agentic risk

Overview

This skill only provides gardening and balcony plant-care advice, with no executable code or requested system access.

Safe to install for gardening help. Be aware it may activate on broad plant-related words, so users who want stricter routing may prefer more specific trigger wording, but there is no evidence of hidden access, data collection, persistence, or harmful behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes several common, ambiguous keywords such as '浇水', '花期', and broad plant names without scope constraints, which can collide with ordinary conversation and cause unintended activation. In an agent system, over-broad activation can route users into the wrong skill, leading to irrelevant responses, context hijacking, or reduced reliability, even though the domain here is low risk.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.