ClawHub

Sports Game Light Tracker

Security checks across malware telemetry and agentic risk

Overview

This smart-light sports tracker has a coherent purpose, but it asks the agent to use a Home Assistant token and run unprovided PowerShell scripts, including a hidden auto-restarting background process with a broad force-stop command.

Review or obtain the actual game-tracker.ps1 and keeper.ps1 scripts before using this. Use a least-privilege Home Assistant token if possible, confirm the exact light entity it may control, avoid hidden background launch unless you explicitly want it, and prefer a safer stop method that targets only the process IDs started for this tracker.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs launching `keeper.ps1` as a hidden background PowerShell process to keep the tracker alive. Even if intended for reliability, hidden persistent execution reduces user visibility, complicates consent, and creates behavior similar to stealthy persistence that can be abused or continue running longer than the user expects.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The stop command force-kills PowerShell processes based on command-line substring matching for `game-tracker.ps1` or `keeper.ps1`. This is overly broad for the stated purpose and risks terminating unrelated user or admin processes with matching arguments, causing denial of service or disruption of legitimate automation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation tells users to force-stop matching PowerShell processes without warning that the command may kill more than the intended tracker instances. In a consumer smart-home skill, omitting that warning increases the likelihood of accidental disruption because users may copy-paste the command without understanding its breadth.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal