ClawHub

ROS 2 Skill

Security checks across malware telemetry and agentic risk

Overview

This ROS 2 skill is mostly purpose-aligned, but it gives an agent broad live-robot control, persistent process control, and Discord file-sending ability with weak user-approval boundaries.

Install only in a controlled ROS 2 environment where the operator expects the agent to control hardware. Review the Discord workflow before use, restrict or remove bot-token access if external sharing is not required, and require human confirmation for motion, controller changes, process launches, and any file upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (41)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd, timeout=10):
    """Run a shell command and return output."""
    try:
        result = subprocess.run(
            cmd, shell=True, capture_output=True, text=True, timeout=timeout
        )
        return result.stdout.strip(), result.stderr.strip(), result.returncode
Confidence
99% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=timeout )

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill embeds an off-system file transfer workflow using a persistent Discord bot configuration unrelated to core ROS control. That expands the skill from robot operation into external data exfiltration, allowing captured images or files from the robot environment to be sent to a third-party channel using local credentials.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The instructions authorize direct `tmux` session management outside the structured skill CLI, broadening the agent's authority to manipulate host processes and sessions. This bypasses the JSON interface and safety wrappers the document otherwise claims are mandatory, increasing the chance of unintended host-level interference or misuse.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The README documents use of a Discord bot token from a user config file to enable outbound messaging, which introduces a non-ROS external communication channel and access to a sensitive credential. In a robot-control skill, this increases the risk of unintended data exfiltration, image leakage, or abuse of the bot token if the agent or surrounding platform is compromised or overly permissive.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documented Discord integration extends the skill beyond ROS 2 robot control into external data exfiltration capability. Because it can send images or PDFs to a third-party service, it creates an unnecessary outbound data channel that could leak camera captures, maps, logs, or other sensitive artifacts without any privacy warning or strong justification in this skill reference.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The command reference introduces `discord_tools.py send-image`, which reads a Discord bot token from a local config file and transmits local image artifacts to an external service. That capability is unrelated to core ROS 2 robot control/inspection and creates a direct data exfiltration path from the agent environment to the internet, especially dangerous because the image source can be robot camera captures.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
`control view-controller-chains` can optionally send generated PDFs to Discord, extending a local visualization command into external file sharing. Even though the artifact is not camera data, it may disclose controller topology, package names, node structure, and operational details about the robot system to a third party without strong safety boundaries.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The examples add a Discord file/image exfiltration workflow that is not necessary for core ROS 2 control or monitoring and sends robot-captured artifacts to an external service. In a robot operations skill, this expands the trust boundary from local robot introspection to off-platform data transfer, creating privacy and data-leakage risk if operators follow the examples blindly.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The rules explicitly instruct sending captured images/files to Discord via an external script and channel ID, which expands the skill from ROS 2 control/monitoring into external data exfiltration. In a robot-control skill, camera captures and artifacts can contain sensitive environmental, operational, or personal data, so mandating off-platform delivery materially increases privacy and data-leak risk.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
Rule 2 claims the skill must only use ros2_cli.py, but later sections normalize direct ros2 CLI and arbitrary shell commands as workflow exceptions. This inconsistency weakens safety boundaries and makes it easier for an agent to bypass the structured JSON interface, increasing the chance of misparsing, unsafe fallback behavior, or command execution outside the intended control surface.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This file adds a Discord exfiltration/communications capability that is unrelated to the declared ROS 2 robot-control purpose, and it is able to read a bot token from local config and transmit arbitrary local image files to an external channel. In an agent skill context, this kind of hidden out-of-scope network capability is dangerous because it can be used to quietly move robot-captured images or other sensitive files off-device under the guise of normal skill behavior.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The runtime behavior sends local files to Discord instead of performing ROS 2 operations, directly contradicting the skill's manifest and user expectations. That mismatch increases the risk of deceptive capability smuggling: an operator may invoke a supposedly ROS-related skill while it performs unrelated external data transfer, enabling covert exfiltration or unauthorized outbound communication.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
Labeling this as 'Discord tools for ros2-skill' normalizes unrelated Discord functionality inside a ROS 2 control package and can mislead reviewers or users about what the command actually does. In this skill context, that ambiguity is security-relevant because it helps conceal an outbound messaging feature inside a high-trust robotics integration, making misuse less likely to be noticed.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This code can launch `foxglove_bridge`, which exposes robot telemetry and control-adjacent data over a websocket service outside the local ROS CLI boundary. In a robotics operations skill, that materially expands the attack surface and can unintentionally make sensitive robot state available to other hosts if the bridge binds beyond localhost or is deployed on an untrusted network.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This utility module exposes a generic shell-command runner and wrappers that go beyond direct ROS graph/API interaction. Because the skill is marketed as a broad ROS 2 control surface, bundling generic command execution increases the chance that higher-level commands pass attacker-influenced values into shell execution, expanding impact from robot control into host command execution.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The tmux/session-management layer broadens capability from ROS operations into persistent process and session control on the host. In combination with shell-based helpers, this can be abused to enumerate, create, or kill sessions and to persist operational state outside the ROS domain, which increases the blast radius of mistakes or malicious inputs.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly directs the agent to introspect, act, and verify on a live robot while minimizing user confirmation. In a robotics context, autonomous execution of motion and recovery actions without an explicit per-action safety gate can cause physical movement, equipment damage, or unsafe interactions before the operator understands what will happen.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow sends captured robot images/files to Discord without an explicit privacy or disclosure boundary. In practice, this can export environmental imagery or operational data off-device to an external service even when the user may have only intended local capture.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes autonomous execution of safety-relevant robot actions such as movement, emergency-stop triggering, and automatic stack launching without emphasizing operator confirmation, environment checks, or real-world safety constraints. In the context of a skill designed for direct ROS 2 robot control, this can normalize unsafe autonomous behavior and lead to physical harm, equipment damage, or unsafe state transitions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes sending images to Discord using a bot token but does not warn that robot-captured data may be transmitted to an external third-party service. In this skill’s context, robots may observe sensitive physical environments, so unannounced external transmission materially raises privacy, confidentiality, and compliance risks.

Vague Triggers

High
Confidence
92% confidence
Finding
The invocation text is extremely broad: it directs the agent to use this skill for any ROS 2-related task and 'when in doubt'. In a safety-critical robotics context, such broad routing increases the chance the skill is auto-selected for ambiguous requests, including movement or actuator-affecting actions, without sufficient task-specific scrutiny.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Although the skill mentions 'Safety First' later, the top-level description does not explicitly warn that it can perform safety-critical physical robot actions. For a user-invokable skill that can publish movement commands and manage controllers, insufficient upfront warning can lead to accidental invocation in contexts where physical motion, hardware damage, or operator injury are possible.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The reference includes examples for publishing to /cmd_vel to move a robot, but it does not present operational safety warnings about motion, environment checks, or authorization. In a skill that explicitly covers the full ROS 2 operation surface, omission of safety guidance increases the chance an agent or operator will issue state-changing commands that cause unsafe robot behavior or service disruption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Documenting Discord image/PDF sending without a privacy or external-transmission warning normalizes sending potentially sensitive robot data off-device. In this context, captured images, diagnostics, reports, or documents may include proprietary, personal, or safety-relevant information, and users are not warned that data leaves the local ROS environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Discord image sending documentation lacks an explicit warning that robot images and local files are being sent to an external service using credentials from a local config. In an agent setting, omission of that disclosure increases the chance of unintended sensitive-data transmission because the feature appears as a normal utility rather than an exfiltration action.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal