Back to skill

Security audit

Xiao Chuang You Garden

Security checks across malware telemetry and agentic risk

Overview

This skill only provides gardening and balcony plant-care advice, with no executable code or requested system access.

Safe to install for gardening help. Be aware it may activate on broad plant-related words, so users who want stricter routing may prefer more specific trigger wording, but there is no evidence of hidden access, data collection, persistence, or harmful behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes several common, ambiguous keywords such as '浇水', '花期', and broad plant names without scope constraints, which can collide with ordinary conversation and cause unintended activation. In an agent system, over-broad activation can route users into the wrong skill, leading to irrelevant responses, context hijacking, or reduced reliability, even though the domain here is low risk.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.