ClawHub

MicroPython Skills

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate MicroPython hardware-control skill, but it needs review because it can persistently modify devices, enable remote access, expose credentials, and recommends unsafe serial-port permissions.

Install only if you are comfortable giving an agent control over connected microcontroller boards. Prefer USB, avoid WebREPL on untrusted networks, set a strong non-default WebREPL password, keep WiFi credentials out of logs and shell history, back up `boot.py`/`main.py` before changes, and do not use the suggested `chmod 666` workaround; use group membership, udev rules, or a user-scoped ACL instead.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and instructs use of shell commands, host file access, device file writes, and network downloads, but does not declare an explicit permission model. That mismatch increases the chance the agent will invoke powerful local capabilities without clear policy gating or user awareness, especially because the skill can flash firmware, write device boot files, and connect over WiFi.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation asserts these algorithms have 'no direct hardware side effects,' but the included Data Logger writes to the device filesystem and performs file rotation. In an embedded/MicroPython context, filesystem modification is a real side effect that can overwrite or rename on-device data, so the safety claim is materially misleading.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill metadata frames the content as on-device algorithms, but it also bundles a filesystem-writing utility. That mismatch can cause an agent or user to select this skill under the assumption it is side-effect free, increasing the chance of unintended writes to persistent storage on constrained devices.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger is extremely broad and includes many generic hardware, IoT, and networking terms, which can cause the skill to activate in conversations that only loosely relate to microcontrollers. Over-triggering expands the attack surface by making it more likely the agent loads instructions that authorize shell, network, and device-control behaviors in contexts where they were not intended.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to provide WiFi SSIDs, WiFi passwords, and WebREPL passwords directly on the command line and shows storing credentials in plaintext in `boot.py` and `webrepl_cfg.py`. In an agent-driven environment, this increases the risk of credential leakage through shell history, logs, screenshots, process listings, or accidental persistence on shared systems.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The MicroPython probe intentionally collects and prints hardware and network-identifying data including platform, version, uname machine details, storage characteristics, and potentially the device's Wi-Fi IP address. In an agent skill context, this can expose sensitive environmental details to logs, downstream tools, or users without explicit consent or minimization, increasing privacy and fingerprinting risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends arbitrary code to the attached device and rewrites boot.py so the device automatically connects to WiFi and starts WebREPL on every boot, but it does not present an explicit confirmation or warning about these persistent behavior changes. In a hardware-control skill, that is more dangerous because the code directly alters device startup state and network exposure, which can surprise users and leave devices remotely reachable after setup.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script includes the WebREPL password in the device-emitted RESULT JSON and then prints command output, which can expose credentials in logs, agent transcripts, terminal history, or downstream tooling. In this skill context, credentials are especially sensitive because they grant remote access to a microcontroller over the network, and the default password of 'micropython' further increases risk of unauthorized access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Data Logger section describes creating, appending, renaming, and deleting files without an explicit warning about overwrite/rotation behavior. On microcontrollers, storage is limited and flash writes are sensitive; unannounced file rotation can destroy prior logs or conflict with existing files, making this operationally risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The network diagnostics code prints full Wi-Fi interface configuration, including local IP, gateway, subnet, and AP configuration, and the skill explicitly says Safe tier operations should execute without user confirmation. This can expose sensitive network topology information to the agent or logs without the user's awareness, which is a real privacy/security issue even if it does not directly disclose the Wi-Fi password.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The BLE scan example enumerates nearby devices and returns their MAC-like addresses and RSSI values without any user-facing privacy notice, consent step, or minimization. Nearby Bluetooth identifiers can be sensitive because they reveal the presence of surrounding devices and can enable tracking or profiling, especially in a skill explicitly meant to control physical hardware.

External Transmission

Medium
Category
Data Exfiltration
Content
import urequests, json
try:
    data = {"sensor": "dht22", "temp": 23.5}
    r = urequests.post(
        "http://example.com/api/data",
        json=data,
        headers={"Content-Type": "application/json"}
Confidence
87% confidence
Finding
requests.post( "http://

External Transmission

Medium
Category
Data Exfiltration
Content
import urequests, json
try:
    data = {"sensor": "dht22", "temp": 23.5}
    r = urequests.post(
        "http://example.com/api/data",
        json=data,
        headers={"Content-Type": "application/json"}
Confidence
87% confidence
Finding
requests.post( "http://example.com/api/data", json=

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
- `status: "ok"` → Device has MicroPython, proceed to step 2
   - `status: "no_firmware"` → ESP chip detected but no MicroPython. Ask user to confirm, then flash: `python3 {SKILL_DIR}/scripts/firmware_flash.py --port PORT --yes`
   - `status: "no_device"` → No device connected. Guide user to connect hardware.
   - `status: "permission_denied"` → Serial port not accessible. On Linux: `sudo chmod 666 /dev/ttyACM0`. On Windows: check Device Manager for driver issues.
2. **Connect** — Default: USB via mpremote. Optional: WiFi via WebREPL (user must request)
3. **Execute** — Generate MicroPython code and push to device
4. **Parse** — Scan stdout for tagged lines (RESULT:/ERROR:/STATUS:/LOG:)
Confidence
98% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
- `status: "ok"` → Device has MicroPython, proceed to step 2
   - `status: "no_firmware"` → ESP chip detected but no MicroPython. Ask user to confirm, then flash: `python3 {SKILL_DIR}/scripts/firmware_flash.py --port PORT --yes`
   - `status: "no_device"` → No device connected. Guide user to connect hardware.
   - `status: "permission_denied"` → Serial port not accessible. On Linux: `sudo chmod 666 /dev/ttyACM0`. On Windows: check Device Manager for driver issues.
2. **Connect** — Default: USB via mpremote. Optional: WiFi via WebREPL (user must request)
3. **Execute** — Generate MicroPython code and push to device
4. **Parse** — Scan stdout for tagged lines (RESULT:/ERROR:/STATUS:/LOG:)
Confidence
98% confidence
Finding
chmod 666

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if "not readable" in combined.lower() or "permission" in combined.lower():
        if sys.platform == "win32":
            return None, f"Permission denied on {port}. Check Device Manager for driver issues."
        return None, f"Permission denied on {port}. Run: sudo chmod 666 {port}"

    # Check for connection error
    if rc != 0 and ("failed" in combined.lower() or "error" in combined.lower()):
Confidence
98% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
"fix": (
                "Check Device Manager — the COM port driver may need reinstalling"
                if sys.platform == "win32"
                else f"Run: sudo chmod 666 {port}"
            ),
        }
        print(json.dumps(result, indent=2))
Confidence
98% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if "not readable" in combined.lower() or "permission" in combined.lower():
        if sys.platform == "win32":
            return None, f"Permission denied on {port}. Check Device Manager for driver issues."
        return None, f"Permission denied on {port}. Run: sudo chmod 666 {port}"

    # Check for connection error
    if rc != 0 and ("failed" in combined.lower() or "error" in combined.lower()):
Confidence
98% confidence
Finding
chmod 666

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
"fix": (
                "Check Device Manager — the COM port driver may need reinstalling"
                if sys.platform == "win32"
                else f"Run: sudo chmod 666 {port}"
            ),
        }
        print(json.dumps(result, indent=2))
Confidence
98% confidence
Finding
chmod 666

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- `status: "ok"` → Device has MicroPython, proceed to step 2
   - `status: "no_firmware"` → ESP chip detected but no MicroPython. Ask user to confirm, then flash: `python3 {SKILL_DIR}/scripts/firmware_flash.py --port PORT --yes`
   - `status: "no_device"` → No device connected. Guide user to connect hardware.
   - `status: "permission_denied"` → Serial port not accessible. On Linux: `sudo chmod 666 /dev/ttyACM0`. On Windows: check Device Manager for driver issues.
2. **Connect** — Default: USB via mpremote. Optional: WiFi via WebREPL (user must request)
3. **Execute** — Generate MicroPython code and push to device
4. **Parse** — Scan stdout for tagged lines (RESULT:/ERROR:/STATUS:/LOG:)
Confidence
95% confidence
Finding
chmod 666

Tool Parameter Abuse

High
Category
Tool Misuse
Content
if "not readable" in combined.lower() or "permission" in combined.lower():
        if sys.platform == "win32":
            return None, f"Permission denied on {port}. Check Device Manager for driver issues."
        return None, f"Permission denied on {port}. Run: sudo chmod 666 {port}"

    # Check for connection error
    if rc != 0 and ("failed" in combined.lower() or "error" in combined.lower()):
Confidence
97% confidence
Finding
chmod 666

Tool Parameter Abuse

High
Category
Tool Misuse
Content
"fix": (
                "Check Device Manager — the COM port driver may need reinstalling"
                if sys.platform == "win32"
                else f"Run: sudo chmod 666 {port}"
            ),
        }
        print(json.dumps(result, indent=2))
Confidence
97% confidence
Finding
chmod 666

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal