ClawHub
Back to skill

Security audit

Ninebot

Security checks across malware telemetry and agentic risk

Overview

This is a simple instruction-only Ninebot helper; its device-changing commands are disclosed and relevant, but users should confirm risky actions like speed changes or factory reset.

Install only if you want an agent to assist with Ninebot diagnostics and configuration. Before allowing any real device action, confirm the exact device and command, keep the vehicle stationary, and be especially cautious with speed-limit changes, firmware-related steps, and factory reset because they may alter safety behavior or erase settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill advertises parameter-changing capabilities such as modifying speed limits and other device settings, but it does not describe any confirmation flow, safety guardrails, or warning about physical and operational consequences. In a vehicle-control context, undocumented or unguarded configuration changes can lead to unsafe operation, regulatory issues, or accidental misconfiguration by users.

Missing User Warnings

High
Confidence
97% confidence
Finding
Documenting a factory reset command without a prominent warning about loss of configuration, pairing data, and possible recovery steps creates a significant risk of accidental destructive action. Because this skill controls real devices, a reset may disrupt operation, remove custom safety settings, or require re-pairing and reconfiguration before the device can be safely used again.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal