ClawHub

Iot Bridge

Security checks across malware telemetry and agentic risk

Overview

The skill teaches users to expose local IoT services through a public tunnel, which is risky but clearly matches its stated purpose and is not hidden or automatic.

Before using this skill, make sure any exposed IoT dashboard, broker, or API has strong authentication, TLS where applicable, least-privilege network binding, and logging. Avoid exposing admin, debug, default-password, or unauthenticated services, and remember that a third-party tunnel can make local device data and controls reachable from the internet.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill’s purpose is to expose local IoT services, dashboards, and brokers to the public internet, but the top-level description and early guidance do not prominently warn about the security and privacy implications of doing so. This is dangerous because users may expose sensitive local infrastructure, telemetry, dashboards, or device control interfaces without understanding that unauthenticated third parties could reach them through a third-party tunnel.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions explicitly walk the user through creating a public tunnel for HTTP dashboards and TCP services such as MQTT, then direct them to connect remote devices and services to that endpoint, without strong safety gating. In the IoT context this is more dangerous because exposed MQTT brokers, Home Assistant, Node-RED, Grafana, or custom APIs can permit data exfiltration, device manipulation, pivoting into the local network, or abuse of insecure default configurations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal