Back to skill

Security audit

Nest Devices

Security checks across malware telemetry and agentic risk

Overview

This Nest skill is mostly purpose-aligned, but it can run a persistent public webhook and automatically send sensitive home camera/event data to third-party services.

Install only if you intentionally want a persistent Nest monitoring service. Use dedicated least-privilege Nest credentials, rotate and protect all tokens, verify the cloudflared binary, restrict and authenticate the webhook, review logs for sensitive event data, and enable Telegram photo alerts only where sharing home camera images is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (20)

Tainted flow: 'rtsp_url' from os.environ.get (line 174, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
with tempfile.NamedTemporaryFile(suffix='.jpg', delete=False) as f:
            output_path = f.name

        subprocess.run([
            'ffmpeg', '-y', '-rtsp_transport', 'tcp',
            '-i', rtsp_url, '-frames:v', '1', '-q:v', '2',
            '-f', 'image2', output_path
Confidence
88% confidence
Finding
subprocess.run([ 'ffmpeg', '-y', '-rtsp_transport', 'tcp', '-i', rtsp_url, '-frames:v', '1', '-q:v', '2', '-f', 'image2', output_path ], capture_out

Tainted flow: 'req' from os.environ.get (line 287, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
'Content-Type': 'application/json',
            },
        )
        urllib.request.urlopen(req, timeout=5)
    except Exception as e:
        print(f"[HOOK] Error: {e}")
Confidence
96% confidence
Finding
urllib.request.urlopen(req, timeout=5)

Tainted flow: 'req' from os.environ.get (line 287, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
'Content-Type': f'multipart/form-data; boundary={boundary}',
        })

        with urllib.request.urlopen(req, timeout=15) as resp:
            result = json.loads(resp.read())
            if result.get('ok'):
                print(f"[TELEGRAM] Photo sent successfully")
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=15) as resp:

Tainted flow: 'req' from os.environ.get (line 287, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
'Content-Type': 'application/json',
        })

        with urllib.request.urlopen(req, timeout=10) as resp:
            return json.loads(resp.read()).get('ok', False)
    except Exception as e:
        print(f"[TELEGRAM] Error: {e}")
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as resp:

Tainted flow: 'img_req' from os.environ.get (line 136, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
img_req = urllib.request.Request(image_url, headers={
                'Authorization': f'Basic {image_token}',
            })
            with urllib.request.urlopen(img_req, timeout=15) as img_resp:
                image_data = img_resp.read()
                print(f"[IMAGE] Downloaded {len(image_data)} bytes")
                return image_data
Confidence
86% confidence
Finding
with urllib.request.urlopen(img_req, timeout=15) as img_resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes use of environment variables, shell commands, and network access, but the manifest does not declare permissions or capabilities. This creates a transparency and policy-enforcement gap: an agent or reviewer may authorize a seemingly simple home-control skill without realizing it can access secrets, call external services, and expose services over the network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The manifest frames the skill as direct Nest device control, but the file also documents webhook hosting, public tunnel exposure, Telegram image forwarding, and asynchronous event processing. This mismatch is dangerous because users and orchestrators may invoke or approve the skill under a narrower trust model than the actual behavior warrants, especially given camera images and doorbell events are sent to third parties.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented behavior expands from device control into Telegram alerting and webhook-based forwarding to external systems. Extending beyond the manifest scope increases the chance of unintended data sharing, especially for camera snapshots and occupancy-related events, without clear user consent or review aligned to those features.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Sending Nest event alerts and images to Telegram introduces a third-party exfiltration path for sensitive household data, including who is at the door and occupancy-related snapshots. This is especially risky because the skill’s stated purpose does not clearly justify exporting surveillance data to Telegram, and users may not expect that disclosure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The setup instructs users to expose a webhook through a Cloudflare tunnel, creating public network reachability that goes beyond normal local device-control expectations. Public exposure increases the attack surface for spoofed requests, endpoint probing, and operational mistakes that could lead to unauthorized event ingestion or service abuse.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill's declared purpose is controlling/viewing Nest devices via the Device Access API, but this code additionally republishes events and images to Telegram and a separate gateway. That mismatch matters because it expands data sharing to third parties and creates a surveillance/privacy exposure beyond what a user would reasonably expect from the manifest.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Invoking ffmpeg introduces a broad media-processing and network-capable binary into a webhook path, which materially expands the attack surface beyond simple Nest device control. In this context, processing remote RTSP content from event-triggered flows increases risk of parser exploitation, SSRF, and resource abuse.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation description is broad enough to trigger the skill for common home-monitoring or temperature requests, potentially causing activation in contexts where users did not intend camera access or external alerting. In a skill that can handle surveillance-related actions and notifications, over-broad routing materially increases privacy and misuse risk.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill description lacks an explicit privacy warning despite handling camera feeds, event images, and third-party alert delivery. Without upfront disclosure, users may unknowingly authorize actions that expose highly sensitive in-home surveillance data or occupancy information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code transmits Nest-derived event notifications and potentially images to Telegram without any evident user-facing disclosure or consent flow. For a smart-home skill, silent external sharing of camera/doorbell data is especially sensitive because it exposes household activity and visitor information.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script executes thermostat-changing actions immediately from CLI input with no confirmation, policy check, or secondary authorization. In an agent context, this increases the chance of unintended physical-world actions such as changing home temperature based on ambiguous, spoofed, or manipulated requests.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Generating and returning camera stream access details exposes live surveillance capability without any explicit consent gate, warning, or access-control check in the tool itself. In an agent setting, this can enable privacy-invasive access to home camera feeds if triggered by a malicious or mistaken prompt.

External Transmission

Medium
Category
Data Exfiltration
Content
body += f'--{boundary}--\r\n'.encode()

        url = f'https://api.telegram.org/bot{TELEGRAM_BOT_TOKEN}/sendPhoto'
        req = urllib.request.Request(url, data=body, method='POST', headers={
            'Content-Type': f'multipart/form-data; boundary={boundary}',
        })
Confidence
96% confidence
Finding
https://api.telegram.org/

External Transmission

Medium
Category
Data Exfiltration
Content
'text': text,
        }).encode()

        url = f'https://api.telegram.org/bot{TELEGRAM_BOT_TOKEN}/sendMessage'
        req = urllib.request.Request(url, data=payload, method='POST', headers={
            'Content-Type': 'application/json',
        })
Confidence
94% confidence
Finding
https://api.telegram.org/

Unvalidated Output Injection

High
Category
Output Handling
Content
with tempfile.NamedTemporaryFile(suffix='.jpg', delete=False) as f:
            output_path = f.name

        subprocess.run([
            'ffmpeg', '-y', '-rtsp_transport', 'tcp',
            '-i', rtsp_url, '-frames:v', '1', '-q:v', '2',
            '-f', 'image2', output_path
Confidence
87% confidence
Finding
subprocess.run([ 'ffmpeg', '-y', '-rtsp_transport', 'tcp', '-i', rtsp_url, '-frames:v', '1', '-q:v', '2', '-f', 'image2', output_path ], capture_output

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.