Wiz Smart Light Control

Security checks across malware telemetry and agentic risk

Overview

This skill transparently controls local Wiz smart bulbs and does not show hidden data access, persistence, or unrelated behavior.

Install this only if you want the agent to control Wiz bulbs on your local network. Use explicit prompts with the device name and correct bulb IP, consider confirming on/off or disco actions before execution, use a positive limited disco duration, and consider pinning the pywizlight package version in security-sensitive environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The example prompts are short, generic household phrases like 'Turn off the light' and 'Change the light color to red,' which are plausible in normal conversation and can unintentionally invoke this skill. Because the skill controls a physical device on the local network, accidental triggering can cause unwanted device state changes and create opportunities for prompt/command routing mistakes in larger agent systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal