ClawHub

Radar Collision Warning

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed radar-warning helper for a Raspberry Pi ROS2 setup, with monitor-mode and network-use cautions but no hidden or purpose-mismatched behavior found.

Install this only if you control the Raspberry Pi and ROS2 environment. Keep rosbridge off untrusted networks, review the startup script before running it because it restarts ROS/lidar processes, and explicitly stop any background monitor when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation phrases like “雷达防撞预警”, “开启雷达监控”, and “检查障碍物” are broad enough to overlap with ordinary conversation or planning text. This can cause unintended activation of a network-connected skill and trigger external actions without clear user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The one-shot usage guidance says to run the skill when users say phrases such as “雷达防撞预警”, “检查障碍物距离”, or “开启雷达监控”, which are still ambiguous and broad. Because the skill initiates a shell command and network connection to a ROS bridge, accidental activation has real side effects beyond a harmless lookup.

Vague Triggers

High
Confidence
96% confidence
Finding
The continuous monitoring mode can be started in the background based on underspecified phrases like “持续监控” or “实时雷达监控”. Unintended background execution is more dangerous than a one-shot call because it persists, consumes resources, repeatedly contacts the remote ROS service, and may be harder for users to notice or stop.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal