ClawHub

Garden Irrigation

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real garden irrigation skill, but it can open physical water valves without confirmation and can send operational reports externally when configured.

Install only if you intend to give this skill Tuya device-control credentials and are comfortable with it controlling irrigation hardware. Before first use, set automation.require_confirmation to true or use the confirmation script, verify all valve and sensor IDs, disable bot reporting unless needed, check the bot target carefully, and ensure the parent ../config directory is not writable by untrusted processes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares significant capabilities in practice—environment variable access, file read/write, network use, and shell execution—yet exposes no explicit permissions model. This weakens reviewability and informed consent, especially because the skill can reach cloud APIs, write persistent data, and invoke automation scripts that affect physical devices.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The top-level description frames the skill as making irrigation decisions, but the documented behavior goes further by opening valves, sending reports/messages, persisting logs, and accepting interactive control flow. That mismatch can mislead operators into invoking a skill with physical side effects and data egress they did not expect, increasing the chance of unintended watering or information disclosure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script does more than analyze irrigation conditions: it directly actuates physical valves when automation is enabled. That creates a real integrity and safety boundary issue because a user invoking a seemingly informational/reporting skill could trigger real-world actions affecting property, water usage, and equipment without an explicit, per-run confirmation. In the context of a garden irrigation skill, valve control is relevant functionality, but it is still more dangerous because the manifest does not clearly disclose autonomous actuation behavior.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script can transmit irrigation reports to a bot when configuration flags are enabled, but this outbound sharing is not disclosed in the manifest. Even if the content seems operational, reports may include zone names, device statuses, sensor data, timestamps, and execution results, creating an unexpected data exfiltration path to an external service. In this skill context, notifications are plausible, but undisclosed external transmission materially increases privacy and trust risk.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script introduces an outbound messaging capability that is not clearly reflected in the skill description, creating a scope-expansion risk. Even though it currently sends irrigation reports rather than obviously sensitive secrets, the message body includes operational data and could be repurposed to exfiltrate additional information or trigger unauthorized external communications from the agent environment.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This module adds outbound messaging/report-delivery capability that is not reflected in the skill description, expanding the skill from local irrigation decisioning into external data transmission. Even if the report only contains irrigation information, hidden or undocumented exfiltration channels are security-relevant because they can leak operational data or be repurposed to send other content to arbitrary targets.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function reports success even when no message was actually sent and only console instructions were printed. This can cause upstream logic, operators, or audits to believe a notification occurred when it did not, masking delivery failures and enabling insecure fallback handling to be treated as successful execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises Telegram delivery of irrigation reports but does not clearly warn users that operational data will be transmitted to a third-party service. In a home automation context, irrigation schedules, zone names, and timing/location metadata can reveal occupancy patterns, property layout, or other sensitive household information, making undisclosed external transmission a real privacy risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "start watering" is generic conversational language and can be matched during ordinary discussion rather than deliberate device control. In a skill that can actuate irrigation valves, ambiguous invocation creates a real risk of accidental physical actions and resource waste.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes automatic valve opening but does not present a strong, prominent warning that the action has physical side effects. Because this skill controls real irrigation hardware, insufficient warning raises the likelihood of unintended watering, water damage, or operation at inappropriate times.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The fallback path prints the destination, account ID, title, content length, and a preview of report content to stdout without redaction or explicit consent. Console output is often captured by logs, wrappers, or monitoring systems, so this creates an unintended disclosure channel for potentially sensitive operational data and messaging metadata.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The constructor automatically copies every file from ../config into the skill's local config directory before loading configuration, with no validation, warning, or explicit opt-in. This creates a configuration trust-boundary violation: anyone or any process able to modify the parent directory can silently change irrigation behavior, zone definitions, or other settings, which is especially relevant for a skill that controls physical watering actions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal