ClawHub

skill-create-pip

Security checks across malware telemetry and agentic risk

Overview

This skill appears to control Ecovacs vacuums as advertised, but it stores reusable account material locally and exposes broad device-control commands without strong guardrails.

Install only if you are comfortable giving this skill access to your Ecovacs account and control over your robot vacuum. Before use, consider editing the script so it does not store the password hash, restrict ~/.ecovacs_session.json to user-only permissions, delete that file when finished, and manually review any command that starts cleaning, changes settings, or modifies schedules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill explicitly documents network access to Ecovacs cloud endpoints and local file writes to ~/.ecovacs_session.json, but no permissions declaration is present. That mismatch can mislead operators and reviewers about the skill's actual capabilities, reducing transparency around sensitive actions like credentialed API access and local persistence.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior exceeds the declared purpose in several security-relevant ways: local credential/session persistence, device enumeration, and especially an arbitrary raw command interface. The raw cmd path is the most concerning because it enables backend operations beyond the listed safe vacuum controls, increasing the chance of unintended or abusive actions under the user's authenticated account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that session data is stored in ~/.ecovacs_session.json but provides no warning about local persistence or sensitivity of the stored token/user identifiers. On multi-user systems or poorly secured environments, this can expose reusable authenticated session material to other local users or malware.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Passing phone numbers and passwords on the command line is risky because arguments may be captured in shell history, process listings, audit logs, or telemetry. Even if the password is MD5-hashed before API use, entering it directly as an argument still exposes sensitive credentials locally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reference instructs clients to authenticate using a plaintext identifier and an MD5-hashed password, which documents a weak credential-handling pattern. MD5 is not appropriate as a password protection mechanism, and without explicit guidance on secure transport, storage, logging avoidance, and token handling, integrators may expose reusable credentials or treat the MD5 value as safe when it effectively becomes a password equivalent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists authentication material in a predictable file under the user's home directory and includes both the phone number and password-derived MD5 hash in that file. Even though the plaintext password is not stored, an unsalted MD5 password equivalent can often be reused directly for login in this code path, so local file disclosure or weak file permissions can lead to account compromise.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal