ClawHub

ToyBridge

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill openly controls a local BLE toy, but it lets the agent issue physical-device vibration commands through shell/local HTTP calls without clear confirmation or duration safeguards.

Install only if you control the device and ToyBridge server, and configure your agent to ask before starting or changing vibration. Specify duration and intensity explicitly, verify the stop command works first, and review the external ToyBridge server code because it was not part of this scan.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Medium
What this means

If the agent invokes the skill at the wrong time, intensity, or duration, it could activate or continue a physical device in a way the user did not intend.

Why it was flagged

The skill instructs the agent to send direct local HTTP commands that physically actuate a connected device, including high intensities and patterns. The stop rule is helpful, but the artifact does not clearly require explicit confirmation, a maximum duration, or other safety boundaries before starting or continuing stimulation.

Skill content
curl -s -X POST http://host.docker.internal:8888/vibrate ... -d '{"intensity": 60}' ... `intensity`: 0–100 ... Preset patterns ... `wave` ... Agent rules: Always stop ... unless user says to keep going
Recommendation

Require explicit user confirmation before every start or pattern change, set a clear maximum duration and intensity unless the user overrides it, and keep an easy stop command available.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The clean scan only applies to this SKILL.md file, not to the ToyBridge server that actually talks to the BLE device.

Why it was flagged

The reviewed skill is instruction-only and relies on an external ToyBridge server that is not included in the scanned artifacts. This is purpose-aligned, but users must evaluate that external code separately.

Skill content
Control any BLE toy ... as long as you have the [ToyBridge](https://github.com/AmandaClarke61/toybridge) server running ... The ToyBridge server is running: `uv run 4-bridge/server.py`
Recommendation

Inspect and trust the ToyBridge repository before running it, pin the version you use, and keep the server bound to local/private interfaces only.