Back to skill

Security audit

Reachy Mini

Security checks across malware telemetry and agentic risk

Overview

This skill is genuinely for controlling a Reachy Mini robot, but it exposes broad robot, camera, app-management, raw API, and weak SSH access that should be reviewed before installation.

Install only if you own or administer the robot and are comfortable letting an agent move it, use its camera, query microphone-derived speech direction, manage apps, restart services, and call raw robot API endpoints. Prefer SSH keys, change default credentials, verify host keys, avoid password-based sshpass use, and do not use patrol or heartbeat snapshots around people without explicit consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs use of shell-based tooling (`reachy.sh`, `curl`, `sshpass`) but does not declare corresponding permissions. This creates a capability/permission mismatch that can bypass user expectations and policy controls, especially because the shell access can move hardware, access the camera, and manage apps on the robot.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation explicitly promotes using camera patrol snapshots for 'room awareness' and periodic checks, which expands the skill from direct robot control into environmental monitoring. That creates privacy and surveillance risk because it normalizes repeated image capture of a physical space and potentially its occupants without clear consent boundaries.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The contextual integration section repurposes the robot as an external workflow notifier for email, meetings, heartbeats, and session events. While not inherently exploitative, it broadens the operational scope beyond direct user-invoked robot control and can lead to unexpected autonomous behavior in the physical environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The snapshot feature copies a Python script to the robot over SSH and executes it remotely, which is effectively remote code execution on the robot host. In a physical robot-control skill, this is more dangerous because it moves beyond the declared REST control plane into arbitrary shell-level access, increasing the blast radius to the robot OS, installed apps, and any accessible local services.

Vague Triggers

High
Confidence
88% confidence
Finding
The activation scope says to use the skill for 'any request involving the Reachy Mini robot' and includes broad physical interaction categories. Overbroad routing increases the chance that unrelated or insufficiently reviewed requests get delegated to a skill that can execute shell commands, control movement, capture images, and manage apps on a physical device.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The patrol behavior describes periodic room snapshots without a user-facing privacy warning at the point of use. In a robot with a camera in a real-world environment, that omission materially increases the risk of covert or insufficiently consented monitoring.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script supports password-based SSH/SCP using `REACHY_SSH_PASS` and disables host key checking, which makes interception and credential theft materially easier. In this robot-control context, compromise of these credentials can grant shell-level access to the robot, not just limited API operations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.