ClawAudit verdict
pet-restricted-area-warning-analysis
smyx-pet-restricted-area-warning-analysis
The skill appears to be a legitimate petal analysis, 指导农业精准决策,提高作物产量与品质。 ## 任务目标 - 本 Skill 用于:通过视频/图片识别植物,准确判断其所处的生长阶段,输出结构化生长状态分析数据 - 能力包含:视觉识别、多阶段分类、结构化输出、精准农业决策支持 - 触发条件: 1. **默认触发**:当用户提供植物生长视频/图片需要识别时,默认触发本技能进行植物生长阶段识别 2. **显式意图**:当用户提及生长阶段识别、生育期判断、精准农业、植物监测、作物产量预估等关键词,并且上传了视频/图片 3. **历史报告查询**:提及查看历史报告、历史分析结果清单、查询历史数据、显示植物生长阶段报告等关键词时,自动触发历史报告查询功能
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (3)
HTTP request to bare IP address — common in malicious payloads
skills/smyx_common/scripts/config-dev.yaml · prose · downgraded · http://192.168.1.234
subprocess execution — runs system commands from Python
skills/smyx_common/scripts/skill.py · prose · downgraded · subprocess.run(
Python os.environ.get — reads environment variable
skills/smyx_common/scripts/config.py · prose · downgraded · os.environ.get(
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
Is this flag fair?
Thanks — recorded.