Back to skill

Security audit

Intiface Direct Control

Security checks across malware telemetry and agentic risk

Overview

This skill openly controls intimate devices, but it gives an agent direct physical control without enough consent and endpoint-safety guardrails.

Install only if you intentionally want OpenClaw to control an Intiface/Buttplug device. Keep the server on localhost unless you fully trust the network endpoint, confirm consent from anyone using or wearing the device before each session, start at low intensity, and make sure you can stop the device immediately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill enables remote control of intimate devices but does not present an explicit safety/consent warning before issuing stimulation commands. In this context, omission of a clear warning increases the risk of unexpected activation, misuse by another person with agent access, or user harm/discomfort because the commands directly affect physical devices.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script allows its WebSocket target to be set via INTIFACE_WS_URL and will send device-control commands to that endpoint without any explicit warning, trust check, or transport security requirement. In the context of intimate-device control, this increases the risk of users unknowingly sending sensitive control commands to a remote host on the network, enabling unauthorized device manipulation or privacy exposure if the endpoint is malicious or intercepted.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.