Philips Hue

Security checks across malware telemetry and agentic risk

Overview

This is mostly a normal Philips Hue control skill, but a crafted color value can make its script run unintended local Python code.

Review before installing. Patch hue.sh so hex colors must match a strict pattern such as #[0-9A-Fa-f]{6}, and only pass trusted color values until fixed. Keep the .env file private, do not commit it, and avoid placing the Hue API key in shared prompts, screenshots, or workspace docs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The skill instructs users to store a Hue bridge IP and API key in a `.env` file but provides no warning about treating that file as sensitive. This can lead to accidental disclosure through source control, backups, logs, or shared workspaces, which would allow unauthorized local-network control of the user's lighting system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal