Smart Home IoT Control

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent and cleanly packaged, but it gives agents broad smart-home control over locks, security systems, and appliances without clear confirmation or safety limits.

Review this skill carefully before installing. Use it only with accounts and devices you are willing to let an agent control, and add your own confirmation requirements for locks, alarms, thermostats, ovens, coffee makers, and other safety-sensitive appliances. Prefer limited-role credentials, audit logs, and narrow automation scopes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill enables safety-critical actions such as locking doors, arming security systems, and controlling appliances via natural language, but it provides no warnings about unintended execution, device-specific hazards, or the need for confirmation on high-risk commands. In a smart-home context, ambiguous or mistaken commands can create physical security, safety, or property risks, making the omission materially dangerous.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal