ClawHub

smarthome

Security checks across malware telemetry and agentic risk

Overview

This smart-home skill is not malicious, but it can control real devices using ambiguous name matching and stores powerful credentials with limited safety guidance.

Install only if you are comfortable giving this skill durable access to control your smart-home devices. Use exact device names, avoid safety-critical devices such as locks, heaters, or appliances, protect the config file with strict local permissions, and prefer least-privilege or revocable tokens where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports fuzzy device-name matching for control actions, including ambiguous examples like controlling '灯' after matching '客厅灯'. In a smart-home context this can trigger the wrong device or multiple unintended actions, affecting physical devices and safety-sensitive automations without any documented confirmation or disambiguation step.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to store long-lived Home Assistant and Tuya credentials and immediately use them for device discovery/control, but it does not warn about the sensitivity of those credentials, the possibility of cloud transmission via Tuya fallback, or the physical impact of issuing device commands. In a smart-home control skill, missing privacy/safety warnings increases the chance that users expose powerful tokens or unintentionally authorize actions affecting locks, lights, or appliances.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal