ClawHub

Nest Devices

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned for Nest control, but its optional alerting setup can run persistently, expose a local webhook publicly, and automatically send private camera images or home-event data to Telegram and Clawdbot.

Install only if you intentionally want a persistent Nest monitoring service. Use a dedicated least-privilege Google/Nest setup, protect and rotate all tokens, verify cloudflared provenance, restrict or authenticate the webhook, and enable Telegram photo alerts only for chats where sharing home camera images is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (16)

Tainted flow: 'req' from os.environ.get (line 287, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
'Content-Type': 'application/json',
            },
        )
        urllib.request.urlopen(req, timeout=5)
    except Exception as e:
        print(f"[HOOK] Error: {e}")
Confidence
89% confidence
Finding
urllib.request.urlopen(req, timeout=5)

Tainted flow: 'req' from os.environ.get (line 287, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
'Content-Type': f'multipart/form-data; boundary={boundary}',
        })

        with urllib.request.urlopen(req, timeout=15) as resp:
            result = json.loads(resp.read())
            if result.get('ok'):
                print(f"[TELEGRAM] Photo sent successfully")
Confidence
98% confidence
Finding
with urllib.request.urlopen(req, timeout=15) as resp:

Tainted flow: 'req' from os.environ.get (line 287, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
'Content-Type': 'application/json',
        })

        with urllib.request.urlopen(req, timeout=10) as resp:
            return json.loads(resp.read()).get('ok', False)
    except Exception as e:
        print(f"[TELEGRAM] Error: {e}")
Confidence
96% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no explicit permissions while the documentation clearly instructs use of environment variables, network access, and shell commands. This creates a transparency and governance gap: operators may approve or invoke the skill without understanding that it can access secrets, call external services, and run persistent infrastructure components.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The stated purpose is Nest device control, but the documented behavior extends into webhook hosting, public event ingestion, Telegram alerting, image capture, and posting to external hook endpoints. That mismatch is dangerous because users and reviewers may consent to a home-control skill without realizing it also enables continuous surveillance-style monitoring and third-party data transmission.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation broadens the skill from device control into external alerting and messaging workflows. This increases the data exposure surface by forwarding security-sensitive home events and images outside the Nest ecosystem, which is materially different from simple thermostat or camera control.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Sending doorbell or person-triggered images to Telegram is not necessary for core Nest control and can expose sensitive household imagery to a third-party messaging platform. In the context of smart-home cameras, this meaningfully increases privacy and unauthorized disclosure risk if chats, bots, or tokens are misconfigured or compromised.

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
Setting up a Cloudflare tunnel and public webhook exposes a local service to internet-reachable event delivery, which is broader than the advertised device-control function. If the webhook is weakly authenticated or misconfigured, it can expand attack surface for spoofed events, denial of service, or unintended data exposure.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Forwarding Nest event data and camera snapshots to Telegram materially expands the skill beyond controlling/viewing Nest devices and creates unnecessary third-party data disclosure. Because the events concern home surveillance, the privacy impact is significant and the skill context makes this more dangerous, not less.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Sending Nest event notifications to the Clawdbot gateway adds an external integration that is not part of the declared Nest-device purpose and broadens exposure of household activity data. Even if the payload is short, it still leaks private event metadata to another service.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
The skill enumerates environment keys to locate any 1Password token and can pull secrets from both 1Password and environment variables, expanding its access beyond narrow device-control logic. In an agent environment, broad secret discovery increases blast radius if the skill is misused or compromised, especially because these credentials enable access to cameras and home devices.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The broad usage description could cause the skill to trigger on generic home, monitoring, or door-related requests without clear boundaries. In a smart-home context, overbroad activation is risky because it may lead to unexpected camera access, event monitoring, or device control when the user did not intend to invoke those capabilities.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation does not prominently warn users that the skill can view camera feeds and forward event images to Telegram. In a home surveillance context, missing privacy disclosure is especially dangerous because occupants and visitors may be recorded or transmitted off-platform without informed consent or expectation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The handler logs the full decoded event payload, which may contain device identifiers, timestamps, and activity details for motion, person detection, and doorbell events. In a smart-home context, such logs create a sensitive record of household behavior that may be accessible to operators or other systems.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Camera snapshots are sent to Telegram without any visible consent, warning, or disclosure about third-party transfer of surveillance imagery. This is especially dangerous for a Nest skill because it can expose intimate home images and visitor identities outside the primary device ecosystem.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
sudo systemctl daemon-reload
sudo systemctl enable --now nest-webhook cloudflared-nest
```

### 6. Create Pub/Sub Push Subscription
Confidence
80% confidence
Finding
systemctl enable

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal