ClawHub

Reachy Mini

Security checks across malware telemetry and agentic risk

Overview

This skill is clearly meant to control a Reachy Mini robot, but it gives broad physical, camera, app-management, raw API, and weak SSH access that users should review before installing.

Install only if you own or administer the robot and understand that an agent could move it, use its camera and microphone-derived sensing, manage apps, restart services, and call raw API endpoints. Change default SSH credentials, prefer SSH keys, verify the robot host, avoid raw/app-management commands unless intentional, and do not use patrol or background reactions around people without consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs use of shell commands and local scripts (`reachy.sh`, `curl`, `sshpass`) but does not declare corresponding permissions. Undeclared shell capability weakens review and consent boundaries, increasing the chance that an agent can execute local commands or access the network without users understanding the skill's true power.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generic `raw METHOD PATH [BODY]` command lets callers access any reachable robot API path, not just the curated control actions described by the skill. In an agent context, this broadens capability beyond least privilege and can enable undocumented or unsafe operations, including administrative or destructive endpoints if they exist on the daemon.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The snapshot workflow uses SSH/SCP plus remote command execution and remote script deployment, which grants capabilities far broader than taking a camera snapshot. In a security-sensitive agent setting, this effectively turns the skill into a remote shell/file-transfer mechanism for the robot host, increasing the blast radius from robot control to host compromise or arbitrary modification.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill is activated for essentially any request involving the robot, including physical movement, audio, camera, and app management. Such a broad scope raises the risk of accidental invocation for sensitive or safety-relevant actions, especially because this is a physical device with sensing capabilities.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented `patrol` behavior captures room snapshots for "room awareness" and suggests combining them with image analysis, but it provides no privacy warning, consent model, or occupancy safeguards. In a real environment this enables covert or unexpected surveillance of people and surroundings through an always-available robot camera.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference documents multiple state-changing and potentially disruptive operations—such as daemon start/stop/restart, motor mode changes, direct movement commands, app install/remove/start, WiFi changes, and firmware updates—without warning about physical, operational, or connectivity consequences. In a robot-control skill, this omission increases the chance that an agent or user invokes impactful actions without understanding that they can move hardware, interrupt service, change networking, or alter system software.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The patrol action captures a camera snapshot and writes it to a predictable local file path without any explicit consent, warning, or access control in this script. In a physical-robot skill with a camera, that creates a real privacy risk because callers can trigger image capture of the environment and leave artifacts on disk that may later be accessed by other users or processes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script defaults `REACHY_SSH_PASS` to `root` and uses `sshpass` for unattended authentication while also disabling host key checking. A default credential materially lowers the barrier to unauthorized access, and in combination with automated SSH/SCP it can enable trivial takeover of the robot host if that password is valid or commonly reused.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal